23542300x800000000000000084662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:37.599{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825264531ADF3F97E002805F27E10C19,SHA256=CEBDE74F5CAAEC0181FAC50CA8A7334C3E3BD568E9466934B33B412EE02A744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:37.037{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0392DA4BD8194BE4922157F1AC6AAED2,SHA256=CA896EA48CF8C3FC070CC83353C4D4613712483E8EF5A85E22079360614CBF64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:34.660{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51605-false10.0.1.12-8000- 23542300x800000000000000084663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:38.693{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62870037A775AE9DF0552E3898233F,SHA256=491300AFDA429792CAE30A88CA7FA0D081B0A4DD42BBAF4C3DFB140A0C62A163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:38.130{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B18DB348AD54459E0A6502CBCEE47,SHA256=1936DCB533A52ED56A624005DD0F74652AF0F39151333F97B33118ED9B7D14A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:39.943{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=178BD93BA824959F2442BC7DE30AC3FA,SHA256=5EFF056003DC3EB000EEECA8F4C5E9845950167AF08BE5D701F6822654968F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:39.786{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C078EC5827203FFC63E310F15FED5,SHA256=5EB5FAA6D38111A40161A7894197D764D49165823BE6D77E239C303A31A5ED3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:37.785{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:39.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C556EA052DB4FF6FED7D88B47C6716CD,SHA256=373B98C1932C592F7132EF50BF2DE26FAD7598A49F66728A293E864EF0FC4422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:39.115{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6EE838195D2D1849D53718D493474C86,SHA256=8FEE58AFD01E013FA3536EB9F52DEBE049E186CCE85AB1B3E5124245FFAA40E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:40.880{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F888D0F186DDCAFAC8B364958BA9E1EE,SHA256=57F0B23B2E52FEF4B7173761CB0043600F45AE7EA8C2465212724A1ED3107F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-43D6-623C-FF03-000000004202}3712C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4362-623C-F003-000000004202}4208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4350-623C-EE03-000000004202}2816C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2A2F-623C-ED00-000000004202}2436C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28F5-623C-AE00-000000004202}5884C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28AE-623C-9E00-000000004202}5732C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8E00-000000004202}4668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289F-623C-8800-000000004202}4188C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289E-623C-8600-000000004202}3292C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-288D-623C-8200-000000004202}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4F00-000000004202}3752C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4A00-000000004202}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-4300-000000004202}3448C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-3C00-000000004202}3284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3800-000000004202}2256C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.802{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3700-000000004202}2600C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3300-000000004202}2336C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2F00-000000004202}3064C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2C00-000000004202}2972C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2876-623C-2A00-000000004202}2808C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2900-000000004202}2732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2800-000000004202}2724C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286E-623C-2100-000000004202}2144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1700-000000004202}1400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1300-000000004202}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1000-000000004202}428C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.787{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0E00-000000004202}980C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286C-623C-0C00-000000004202}824C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286A-623C-0900-000000004202}560C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.771{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E57-623C-6605-000000004202}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.755{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.740{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.740{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.735{5F3DCEF0-4E68-623C-6805-000000004202}6796C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr doublezeroC:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000117050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.724{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.732{5F3DCEF0-4E68-623C-6705-000000004202}6488C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exetasklist C:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000117042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:40.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351CC7211BB25CA987E4C288DA5D595F,SHA256=CCC861228D12678D4A2D1B917A00A086B5E1729FB44B3CC1EFEC67AA086D2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:41.978{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72766B0E17AAA75610DBBDB6EA611C41,SHA256=C5FDB85EF6763789823C0A3168738BE3BB4FF478A5D17088B8E3E4BEA9385BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.802{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6004C071518401D59B5302D8EB33A393,SHA256=6D387E1013F19FA2CF590F1C08883ABEF913195EF3C582C18E041848C17819EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.630{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.521{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B06529DE72772A4A210ABB67376204,SHA256=0019ABD3EEBF6CCF8DE9EFE4A1A0518A33AB11BF2C7A0663A43E9BF2EFC962F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DAEAD3868CD1D3F1ABF3D4409FBBAD,SHA256=E6D33F4E74D0F8934960A6EB202DDF3BB82584845E7F04CB993C20DE0787A9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:41.871{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-157MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:41.379{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000117535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.912{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.869{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:42.181{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.896{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.880{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.865{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.849{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-43D6-623C-FF03-000000004202}3712C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4362-623C-F003-000000004202}4208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-4350-623C-EE03-000000004202}2816C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2A2F-623C-ED00-000000004202}2436C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28F5-623C-AE00-000000004202}5884C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28AE-623C-9E00-000000004202}5732C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8E00-000000004202}4668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289F-623C-8800-000000004202}4188C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-289E-623C-8600-000000004202}3292C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-288D-623C-8200-000000004202}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4F00-000000004202}3752C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287D-623C-4A00-000000004202}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.833{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-4300-000000004202}3448C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287C-623C-3C00-000000004202}3284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3800-000000004202}2256C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3700-000000004202}2600C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3300-000000004202}2336C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2F00-000000004202}3064C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-287B-623C-2C00-000000004202}2972C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2876-623C-2A00-000000004202}2808C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2900-000000004202}2732C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-2874-623C-2800-000000004202}2724C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286E-623C-2100-000000004202}2144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1700-000000004202}1400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1300-000000004202}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-1000-000000004202}428C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0E00-000000004202}980C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286C-623C-0C00-000000004202}824C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.818{5F3DCEF0-4E57-623C-6605-000000004202}68046240C:\Windows\system32\wbem\wmiprvse.exe{5F3DCEF0-286A-623C-0900-000000004202}560C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000117310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.802{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E57-623C-6605-000000004202}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.802{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.787{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6405-000000004202}65446556C:\Windows\system32\conhost.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.780{5F3DCEF0-4E6A-623C-6A05-000000004202}2680C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr doublezero.exeC:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000117298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.771{5F3DCEF0-4E50-623C-6305-000000004202}61046536C:\Windows\system32\cmd.exe{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\system32\tasklist.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.779{5F3DCEF0-4E6A-623C-6905-000000004202}6440C:\Windows\System32\tasklist.exe10.0.14393.0 (rs1_release.160715-1616)Lists the current running tasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtasklist.exetasklist C:\Users\Administrator\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=6F2FDCF651A1650FC7B4FC5A860E4D9D,SHA256=27EDDAC6A2E5A74DF67C534393B0B025B03D61310748BE016DCE348A02D30A22,IMPHASH=9C5CFDDF3336412B8046D54234415205{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000117291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:42.615{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127D82F38D38E63DB701D58B89415E5F,SHA256=F2C9311F7241F815D044590F35E67826C9B6717892AD1D681D475E0A5AA31658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:40.600{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51606-false10.0.1.12-8000- 23542300x800000000000000084673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:43.072{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BC9A01D0133CF09004A40C6412B1E1,SHA256=78854DD5F3920938DC88B9D4C1B7350B706FD554C639CF3BE9DA6598DC68E451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.037{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672D4FD1138B4E07772DD5E44722A24,SHA256=C2358DA3072911F5AB0A49D2F3900441C9CBF79DD56CF9430678F52528968FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1147377BEC0D36BA2E70FF2BFDFA646,SHA256=51C09F0D83A6AEFEB514CA1234BD305FA1CF58FB2F0178544B562EBA750124C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:44.167{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C8E72EEF224ED18044EA214D46E8DD,SHA256=F7C5C687AB1495F6B2BEA484B9D35856BDB04659965F9325397D7E72300F52DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:44.177{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC01DE89B1D0F93D5963F369809BB75,SHA256=36D91318A746873EC77F230ACE79B7B5287002D0BB5A8ADC881E098A3D320ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:45.261{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F12B292659C5FFCDC12D023C870F9F,SHA256=BE192A00C538ECE6A8FA62BF1A9F28CEF99089943DC0E13F18A63B7B3F6C6820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:45.224{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA90B1DF3534DDCA199947660A648DC2,SHA256=28487393654A75BC697F231B97B533572A90C04DD6A2FAF516FDB979462D8A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:46.354{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26E0C2A04982DBC71FC4B09EDD6E0D,SHA256=80A2E2F7F93BF92C963B2A581942AD1F1C98300320E5327A7A67459316DB3DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:46.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80699CA0C62E541349FB245889B22E92,SHA256=34ED07719E63489F38EF02B9AB11E0DD04806DEB73D0017567B6530401FC3BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:43.832{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:47.448{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7F3382D0DAFD642266F0C4B87D96C9,SHA256=28C97E26E8EEB9921C3556E35BF1B2DA3433FAE265AFF39A08F5A91FDED3EE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:47.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209794C9CF56254BAF7F60319D955E92,SHA256=091097B512E1CC1058F5936BFCC68C53F7F50C267BCF5DC90872CCB908AB92DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:45.605{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51607-false10.0.1.12-8000- 23542300x800000000000000084679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:48.542{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682B2C11EDEBCE89620580AA4AF40120,SHA256=DE8BFCADAECEBD79C0A8F7D69B2874E16AD6F932D6A04DF2D5505D8573E72A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.833{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.833{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:48.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0050F1AB3078946470330EDF800807A,SHA256=0E54C257C865793721312999DBE60A6CA9F1F4A8BE96820E263D509B2B977FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:49.636{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E533297A995F40F63C608581B48CFF7,SHA256=8713DC098A63B8AC04C737FBA4F20B153E3A971B63F6413C08945E5BEEDF37A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:49.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450AD666E26928601B499FF37C563248,SHA256=FCD1F05DAD8A29F5D81D42DBBCC93B106A061F0477CAAF543FBF00F7AACC29FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:50.729{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6ABFC3520A6DB82A6CA0C3E9411F57E,SHA256=1F09D668F70C9D8C5A464575A2408E000DA7C24C46A7BFEBD3AB68F77B8C0C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:50.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF9F0A2C3E6D740668AEEB6B42A307C,SHA256=059321CD92394E52F74FB669EF169D6DD8B8C81D5AB1168A617CB9A0745028C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:51.823{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B24FDEF21C8975BA775172AC9C1970,SHA256=8AAA6BAD772D2962F7C9DB6AF8C43A003A7EC2291DFA718AD947B31F01363D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:51.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4030D88003C9FCAB4066A9F06FE4F8A0,SHA256=B3252F2320C04FC27419AB82DF485C1B4F90C6523F7EA0320B027F147A216009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:49.863{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000084710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.948{9531C931-4E74-623C-FE04-000000004302}4163996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:52.990{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E528C8A05B95BE9355AA10B403306,SHA256=B84C0829749A8B6E2CF47E43988F0E837ADD572073806CDCF61B762A6E0B8B4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.729{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.730{9531C931-4E74-623C-FE04-000000004302}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.229{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:52.230{9531C931-4E74-623C-FD04-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:50.793{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51608-false10.0.1.12-8000- 23542300x800000000000000084712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5008CABB485C5EF773E058466BB6620,SHA256=3FE4F0D85D8F37CE16026B2229F8B07781442C9BF12882D01550ED2480CD2A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC1D5D967E76A7F1200BCB9A064FDB6,SHA256=3C286D05F9F30EECA5FE83255BE0E8410CB8D283BD3F9B864E40D735B77430DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.271{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.224{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.224{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.208{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.178{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000117563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.162{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-03-23 15:36:07.099 23542300x8000000000000000117562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.162{5F3DCEF0-28A1-623C-9400-000000004202}5024ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=177F371888C035014245590A7544F0B8,SHA256=7F6B1398A194BA325EE5C324B1BF6466F58BBA08A7F80EEA25F83678F6D6E965,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000117561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.146{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\gclass5_frmt.txt.lnk2022-03-24 10:56:53.146 10341000x8000000000000000117560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.099{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.099{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.068{5F3DCEF0-28A1-623C-9400-000000004202}50242132C:\Windows\Explorer.EXE{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:53.073{5F3DCEF0-4E75-623C-6B05-000000004202}2520C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Temp\gclass5_frmt.txtC:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.856{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-157MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.570{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.445{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FEE9649BE53D4B9EB91152AA37F5D05,SHA256=348472A409C42B48090B79A913BFD777F71B597795469F27B3A91B37D30F00AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.146{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BB193071818E53752319E78A5F740278,SHA256=E7991311BE3955CC1AD23894D502A53C2BB9D85D9F00D7F27714676EC8C4AC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:54.083{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08697BE189BD3139FFA71943FDB2720,SHA256=694821227FFC9BB6A5663319E018597E27E66942FB9608805F4096BA240F49BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.996{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.026{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DE508C5B1D4D98791E28DB72C14AD5,SHA256=8DA66A6CAC06A5F2886EF0B9717C125B31FD39FBA0556249A749F11B1A0289D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.868{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.179{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D946F603BDCCA2C75EF36EE4FB19660A,SHA256=2AFDC409433BE7EB973F20D559EB99BB130380EEE677A0A7CC27D0E90E1E0572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:55.511{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C931287B19EC8CA8625BBC118BF825A1,SHA256=8600C67A0E1323B58B1076FEC14E8812D3D7B941EB5A52B77C52B96958BB2C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:55.120{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE183A2DFE1A85CD71FF5DAD1EB1A63,SHA256=5FC9151CBA17F653F7A6E600C43B0109C709E14590DB6990A6FA648F4D84370C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:54.995{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E76-623C-FF04-000000004302}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000117587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:56.276{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9838133AB0BCD44B264155298A7B222,SHA256=3AD8A02B367E20F5F3B45790703F4714FF5F8C29C906C033FB8689798CF6A501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.853{9531C931-4E78-623C-0105-000000004302}250496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.635{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.636{9531C931-4E78-623C-0105-000000004302}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.419{9531C931-4E78-623C-0005-000000004302}14204088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.213{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40092C6C8A1B4117E28FBA445801372,SHA256=6750AB92FA60EB9DC9F19965CE71053259127ECF4ABC64EF5586F70FF18D9001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.135{9531C931-4E78-623C-0005-000000004302}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.432{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2481C79C51E135D7B6224E5DD923EE2,SHA256=713498830FF64EBB146CB409262DDF163EDBD42284020B2C0D193B3F61EAF052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.322{9531C931-4E79-623C-0205-000000004302}2564948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:55.837{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:57.373{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54AC3CDBF7F0B747FB56CE14D3B4D2C,SHA256=57280687EE3DAF8FAB18E5C0BCE04033F31E6F11EB2A464B58D51139BFFA5580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.135{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:57.136{9531C931-4E79-623C-0205-000000004302}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:56.792{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51609-false10.0.1.12-8000- 23542300x800000000000000084774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:58.431{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF976731773C9D339537C0E3191B5E9C,SHA256=EFE23CEE3C3AC83D0DF312C86B27AF368819A07F896F2FB175FE18AD7705EC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:58.466{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45421666910D0091A305CD459D8314D4,SHA256=C13D4AF00A58E797EF26E2DCA108B582DF9CFA5C2565087BE081A4C477936254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.556{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.557{9531C931-4E7B-623C-0305-000000004302}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:56:59.525{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FF676AB70CCEBBD1E24BD4E6B0853F,SHA256=727152426BEC2FB7A52EDF4323AD8866856D68FD57C6AEF19C4C5D8C1D87CC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:56:59.560{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A6403E746ECD33745483AB2C90B70F,SHA256=B00DB38C61D1DEE3FABE21D452CF15F6E49E547E9101EE77104D485310D799A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:00.760{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904E5423BA847A16E2E81E61953F8EB2,SHA256=04CB67991575840DAE40D4AB64AECD428D4F98E09B44A78BA2A8E0BC58F2F613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:00.619{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC240FC1C28282C5E340E2E8E60BD8FA,SHA256=078F6BB29F36B1BBD0E0B1DEB140B1B651DCD0D579653E1528BEF8A9DFC5FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:00.654{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA76054E6FCF625C59C55114CDBC923,SHA256=10E7B45541E7F4530CB6C9102D7525F4CB5BDE20BA518EE2C6C6D09D9229C084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:01.713{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E3A4706F408E36B19BA21226253072,SHA256=4C61441E3C210912CE9DF5AFE33F8EBA17F4D1C752BA371118BB65660B59F5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.748{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6684BF034514B9A63A97C3C541BD0F2F,SHA256=93DC4EFA1D2D08B1F636451A63CBD8C5154C4173CDEC53E8B4CC641F096A2DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:01.170{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:02.806{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA1111EC42285835C8F8D4B66511EEF,SHA256=A1E91BF77FF467BBE4F38BDBE9CF1A318F0176121DACD0546282CF7C1D40553A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.936{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.920{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.905{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.873{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.841{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEE29F046AEF8F80D7F23D45F5FDBEC,SHA256=976D205D7324B6647E566378FE8BB3B66CD11548537AADAC9299DC95F4FFE405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.826{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.810{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.779{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.779{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.513{5F3DCEF0-4E7E-623C-6D05-000000004202}6152352C:\Windows\system32\conhost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.499{5F3DCEF0-4E7E-623C-6E05-000000004202}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.498{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6D05-000000004202}6152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:00.840{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000117607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.482{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54 154100x8000000000000000117598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.492{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000084795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:03.900{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F2F3E6A3D4A0B38AE00057365C7DDC,SHA256=D881A61C38F59DE0A0FF1730961DBD4855274B4C0796E1CAF76E32587DF13761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.935{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7B67F5E384E252336018B0BC378A9,SHA256=D92D73CF301FC543EC36B80B592F9426D21407AD83BE9BB4731B58651906D858,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000084794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 10:57:03.416{9531C931-286E-623C-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6d-0xe50bb8bf) 23542300x8000000000000000117646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.576{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A4818A86F3B636F8E3597975095778,SHA256=14C5ECDB1648BF4BE4A3B0B966EB0A0AF5DE0D63F084CB78D0DB33C336F9F030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:03.013{5F3DCEF0-4E7E-623C-6C05-000000004202}6280ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:04.994{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528D68ACE0E5DDDD210557E70D44C7D3,SHA256=7C687D09748B122FBB817635C82028F5DD1FF98700410427D679CD4650D7144B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000117667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.935{5F3DCEF0-4E7E-623C-6C05-000000004202}6280win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 10341000x8000000000000000117666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.716{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.717{5F3DCEF0-4E80-623C-7005-000000004202}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.696{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63208-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:02.696{5F3DCEF0-4E7E-623C-6C05-000000004202}6280C:\Temp\doublezero.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63208-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000117656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.248{5F3DCEF0-4E80-623C-6F05-000000004202}40001120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.045{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:04.046{5F3DCEF0-4E80-623C-6F05-000000004202}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:01.807{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51610-false10.0.1.12-8000- 10341000x8000000000000000117674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.357{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.201{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FE35D7CBE85F8947343C5D5FE6792C4,SHA256=1C9B433EB911967278A43CFD7266F7624DD044AC30C6D81B5295E51B0B8C507A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000117669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:05.045{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 23542300x8000000000000000117668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.029{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22622B3CE4600E43E25B4D99FB00E08,SHA256=66CCDCC9EF3C54C9FC3CB37329696506E94EFD46BCACB38470958ECC17C21321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:06.088{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B3F634CFCF0BBE36B5ECABD13F028B,SHA256=AE768F39AE6C55E27CBE1CC7EE000A4A8CBF7391C9E691320098FFAD1117FB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:06.123{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5FE8466BCCE516FF9532103E038721,SHA256=4812E74341D1B81E2B1239AD52FCB5851EDA4AB40ACEF8D771753370C36C20CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.980{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000117687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.793{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63209-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:05.793{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63209-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 10341000x8000000000000000117685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.638{5F3DCEF0-4E83-623C-7105-000000004202}70245184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.451{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.453{5F3DCEF0-4E83-623C-7105-000000004202}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:07.217{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A111959677CD09892D942345CF6CD53,SHA256=162CDDC25EC0B8CE53A5B268F81DD8107B6DAF15C6547CBFBE9EFCB4FFC7FE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:07.181{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA2E88A2147F900DB8261C0F6C13D53,SHA256=1F8959CA9E8B6F76E0E18E19E8486BEB5562B0CAC362550971AC8BF010A79182,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6305-000000004202}6104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.638{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E50-623C-6405-000000004202}6544C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.498{5F3DCEF0-4E84-623C-7205-000000004202}50323536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.326{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.327{5F3DCEF0-4E84-623C-7205-000000004202}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.310{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD77C108AF8DA87ACF481788A7EC9588,SHA256=CFEE6BBE113BB3863A3469B092430925D0857E97349D24BFDDBF6DBCFBAA17DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:08.275{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710AF2CFC86ED6FAF4A0C1355706583,SHA256=7550EBB5D72EFB474ADB9F785ED93F6C577E828F2F4823A13C36D50B83A8DC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.670{5F3DCEF0-4E85-623C-7405-000000004202}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.420{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F5B4122B1BC6E252D4D1E92970594,SHA256=C892BAC5B7FC78473D9572422441470B6AD03A153DEC979F6E79A0C860DC0D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:09.369{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E4B6487E7703AEAA67AE151DE46F5,SHA256=06434714C4B4FB596CD1A081A7DEBEF3EB7D5D64994596CA8B9A2F84F8E65C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:09.186{5F3DCEF0-4E84-623C-7305-000000004202}60163724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:08.998{5F3DCEF0-4E84-623C-7305-000000004202}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:10.529{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9DE5A6133CA5592CE651F3CD748F2E,SHA256=D7F2653D0FFB1B8AE4A0284E8BE956826165E10131E1824F1783E1488EC67432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:10.463{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89F8E0387D51986EF886197C1860D3,SHA256=137CC0BEDFEEDAC48E51684923147BF2FF9011C3688E18CE9395808B2A833F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:10.029{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1480C850B0CA5088AF1AF253824F8FB6,SHA256=842507A4DE57C45EAFD479B0E80BD75299E4C069A481A941757867B46B2D91B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:07.573{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51611-false10.0.1.12-8000- 10341000x8000000000000000117733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.967{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.951{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E87-623C-7505-000000004202}4140C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25bc9|c:\windows\system32\rpcss.dll+40ca2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.654{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.625{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AE92A88CE248DCD3724BE71B50EA47,SHA256=486ADAEDA50BE5858F69E9D572D35DF0AA283593B65587F9E1288E615EC2550C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:11.556{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0F50F3D9B6C74E29A4B8FDA95B3423,SHA256=0166104BE69D4CFD548D60BA769C5BFD672B0AF0D81D832E540D238FED9F78B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:12.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805A0187E5388D7E5A5E6910BA7FBA2,SHA256=46B1042F131C2FB90205843324A1701F6B2F403A8E4265B935D03779D078E663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:12.650{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DDEAD01086ECCBE1832A254EC9EE29,SHA256=5D9371C410818E3458492F8AD2454555561001F26E5B3FFF36A8CD1DD67A7E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:13.811{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A92A3703C82F3C1DA5FC5F7E7393278,SHA256=209B2892DA0568C7D32529F7522B4AC6A88EDEFB56EDAC02D1D4074D2BBBE182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:13.744{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D314D7E0645B38B2DB3A70D23FA93AED,SHA256=55F7BAFD046503B08D0BC50DDFB5D9C3E2E3EC08F6BB7E7BB8D63C74F7A4CF53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:11.949{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:14.904{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D970204C8457E4D18DA3AC764C392B,SHA256=F012BBEBD3E99697A0D3F3AA06C48BEDE7D3511919AD05F7F9FCF3F102CECDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:14.838{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225188B4F8E221BFE6B554B0E76FE0B9,SHA256=772619139119ECE5AFF128451B7A42D96A2667BD55490E465E24CDA5AE19639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:15.931{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9076E1D3F91824814EEBD3874F1844,SHA256=8D59856327B63DBEC2E63E28CE8FFA7D92B6B71F3EF9B7BA0028EE7223AE46B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:12.682{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51612-false10.0.1.12-8000- 23542300x8000000000000000117738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:15.998{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B91105E33DCE25980688DE4102C8827,SHA256=98EE7D35C59D6172B37D72ED351A63D26C6F7D696EF5433997101A1153582255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:17.092{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676E68D03D35646E742D9F76D00FA608,SHA256=D9D3B8FBDB02D047DF015549CA48F4B3A024381EE339C1F5115214D775DFEF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:17.029{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5D8DF645E1447EC474E429D0502B76,SHA256=F368FE704712B4068771C9940E41D43F7A548AB9CDAE1503D280443AF0C6F19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:18.123{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306AE337F9267EFF93B7893C3FFBBD90,SHA256=4E968E74ED8006E7A623EE14A45ADB73E18FBB4940009A2042D395903E187AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:16.981{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:18.186{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84742A81E7A420A10FD3A006DEBACA03,SHA256=4E20A6F9EADE529FE4F4E755F15EB888B4803ED5108FE73A387D33659ED6CB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:19.280{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E77BDFBF12392E9182334F98D84D0,SHA256=0C893B3293EAC2CC05A32F480B7E0E4C94F75179A2176952BDCCD163FB0A4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:19.217{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F042C2A5B35B8E7F2105F6ED6182857,SHA256=8DA52A2B00ACAD777AE7E1D8DB281CBCFF2800A5ED4D0DDFF10B1ADDECC3CEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:20.545{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C8742E51BB80A41533007D593F3F9,SHA256=A2D80E928D52D5E8FA8419802C14DB7480AA0558F4081BA0E5186FC53E225170,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:18.657{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51613-false10.0.1.12-8000- 23542300x800000000000000084813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:20.326{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8FAB7ABE2C1F7EB787F7DD70386D90,SHA256=C5A2BF356521C92E5FE1F05466F4627B4F8A512B217E37589F659C26980CB633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:21.686{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D39F192788BF2D3A91032F08F5E0AD2,SHA256=6AAF733E570AA15BECD2B6B42B47045A2AC010D33BC7DF59603F3A13C6C90038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:21.420{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25920EB1C1D006B1F225AD4D30A4761,SHA256=46E57EC02F47B301D50570E8E0DEB7063BFD5AE3CDE2B0BF4135AA2D87FD25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:22.780{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06425B572045233DBF23DE17415E9372,SHA256=656C84F750787CC5D10401F51E9D7957EC694BF9FAF5C39184A0FE768F9B8843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:22.514{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D26363417F87F0B1CB63886102E7C84,SHA256=F819A8FAE5D0E4E174CF0883C9625C9A1772AE66B605B15654B425CB06C38723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:23.889{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7957BFC07F6D10DCEB9163C8472637CD,SHA256=F84B9EDB42E6A188BAAB98AFC239243626EE406EEAC2ED97FFEC92E1DE7F5443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:23.607{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A82CFEDA3BDC2A8D628E898C36C48A,SHA256=FF39B220348399AADE5354CCB3C46B9C7F1D36E7565DE7EB5FB428856333EB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:24.983{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC492B3F649DB7F802D6806A440385F2,SHA256=4AF7481035EF366D2BC9D098959E54D1ECBDD8932FE4800E69445CD265EFC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:24.701{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0D6A379913ED115AE4D155F026335,SHA256=45C2A2F79720CDCD22CE709339B640CED50403772542692A0C01E569D3B674B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:25.795{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95D259A13DABD3F28AEB89B24FB784C,SHA256=09AF4F5C4CFF9C1324D0EDCECAF22A3A8D94E05532B670F6409FE8C62196446C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:22.918{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:25.670{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D192966CF09BEB614FE2610453FD0F59,SHA256=EBADA65085A0DFA3E172AC7C217F6089BF01F910EE1A25407D77F8A08898B807,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:23.671{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51614-false10.0.1.12-8000- 23542300x800000000000000084822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:26.889{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD65854B51631EC4D379400BDF77054,SHA256=1115B75B0BF4FA6F14291B3B98D2B34AC081535799BDBD71C88788CF0E6E697B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:26.077{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF55F8FD8EBDB3FA9C09F5EC2A4EF35,SHA256=1E95AC3A445DF91780B0C65D83F6C7FF6F53C70E4A241CF58E16DB4DCC171B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:27.982{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A341881A5F9C2278493F936A8036A8,SHA256=22D77104E7F5F273BCB2D77A8BEE106208BC452A6B48558C4C167549BF281D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:27.170{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5210C3D6E628550685351FED0B35F6B,SHA256=35F45E5F29B8C12A05452CB6897F7F956BD2D7DB92BB8F951EEA198FDEA6914E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:28.264{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCC9B8B47ED513B872F533B87127256,SHA256=FDF87401DBBA282B1A3DFEC5F043E4AFEE81007A83C19698222C9988230C21C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:29.358{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C12AD3E5790A6212F54EDA0E2646E6,SHA256=1DD54D46C9049666B273DCF812E7147991F6C1AA4A80627D7F07470942A3285C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:29.076{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A1D50A07EC41C3174B7F17BAE13ED9,SHA256=DCA5C5BC09D208A9E86E3CECCE77A4FBAB92E572DF9933DA594BD7FD8D7FF6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:30.452{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25875B356893D56FE254C62F2BA5C2A1,SHA256=CD40C53EDF8610FDEF0AB5C8C1CAD360914514265ECC93E89319ADFA89F0AD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:30.170{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44395166ED1AC2E7DCFBB3243EFD3AC,SHA256=C50C2AAF1083146EACD882E390D45A9CDB76EE89FC664866D36D5E79771CC795,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:27.996{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:31.545{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3BDCFDDE46ED13819D0A5D9F6C7C73,SHA256=4FA68EF2EC095AD002B70F63F636225D16138AAEA4887208D0071924A6ED41F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:29.593{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51615-false10.0.1.12-8000- 23542300x800000000000000084827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:31.404{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:31.264{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885E8D919EEBA2AB01091BCFA208C66F,SHA256=647AFAE3FBBD395E8DA4AB440EDCCEFEC98121E382CDD51DA46878EB8FF183DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:32.639{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73999F3A1DB82DCFBCD9350BA2DB58F,SHA256=FCF4AC386EBEE30F8DF64BC066D30381668663D5EE042DBFB87FF60304967023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:32.357{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C252502B1B0E9CCBD75C59DD441544,SHA256=4F4D67DF99E3D54E92AE08DB0822EB0BAF7454FA350842C9AEB612AC12390D24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.795{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.780{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.733{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D593E04A8F9CB0DA2E8E6661DC9202FD,SHA256=31C815463AA1F77B4D9FAA7D30BD3F62C55831FABF57D292D2E12E0054ACCC1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:30.936{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51616-false10.0.1.12-8089- 23542300x800000000000000084830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:33.451{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417B0819A82554243DA8628E426A0DB0,SHA256=FA05BEFFCA7D049F0A20E7E60B331170C35597EBA8D6A5C085F23E6ACA171753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286D-623C-1600-000000004202}12601932C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.592{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.468{5F3DCEF0-28A1-623C-9400-000000004202}50244504C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000117757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.393{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\7-Zip\History.txt"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.827{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F771CBF956B18F765E1F1867D3423468,SHA256=B67AAE4BF43AAD29DD1429F3E95E2F65510F5631765E0055ACA0F9195FB11387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:34.545{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0887D17CF3381814FA3DE754F7C907A6,SHA256=68B44E6F28C6C511AA0CE9450240E1AA617341B4606BD863E18DFEEA00CED631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.436{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C4109A403ADACA46A111D499246B81,SHA256=A9DAFC9408DEC5AEDC5F75C32F6D12EF13E867238EDD9EC9423F3835F953AE70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:34.217{5F3DCEF0-28A1-623C-9400-000000004202}50246596C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:35.920{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BB7A148EA76A8D1909C6F9695D732D,SHA256=E3C23DA3A81E5624118DAAF900C502ED7205295FF3EFC92B45B4C24C7DD894DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:35.639{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EB64B2B1B9387085947EEE4944FBB1,SHA256=80F759C8464422A5E950958200BAC765C6F2887320FA7960A22D03CBC6847A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:35.498{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0876F4BC4AAF25E0518E2A761766AEFE,SHA256=11EA7F1B651A868A424CA4B0EF5597FC414D8D759DDAFD015C454F4C71E4F861,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:33.012{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000084834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:36.735{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C093C172F4DC8AC99625650FE733D52,SHA256=77E8648B2808E9CA926CB68B609945070FBCCF71D00971108C5A716EAEC1A3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:37.829{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D364BD719FEE2F3EBA6F97BEEE36C814,SHA256=F9F7366B69B98A4D1DDE7640CDF039277B4AE8774A58398402C9F9CEA3A60FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:37.017{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3705DE1E50733772F1934F8AB7CBE4,SHA256=310C066184349FFDD6F25546C92E9EF618FB9A5BEBAF64A6E3EE3D56B68C3A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:38.922{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D4276EAABE65B1A16EE8707949EDB4,SHA256=49106B3B90913ABE9E861E30356F79103F27CC15E780F938E3B8C3B791298C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:38.111{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F07E6A704AB9CE45379EB5B4BC2313,SHA256=B6BE6B98FC51D5DF98EEF2DC4EC69078DC191DE76F7A5A950FD1E5B0D924F20C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:35.595{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51617-false10.0.1.12-8000- 23542300x800000000000000084838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:39.954{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4374DCBE5E7A04E2ADEED8A22E37CD2B,SHA256=06C9D7D7F931CE87856CE23B4BCDB0A14252A0496913F01BAA87E7C01D9360E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000117799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f5a6) 13241300x8000000000000000117797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f65-0x982c84a6) 13241300x8000000000000000117796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6d-0xf9f0eca6) 13241300x8000000000000000117795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f76-0x5bb554a6) 13241300x8000000000000000117794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095f5a6) 13241300x8000000000000000117792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d83f65-0x982c84a6) 13241300x8000000000000000117791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d83f6d-0xf9f0eca6) 13241300x8000000000000000117790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 10:57:39.267{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d83f76-0x5bb554a6) 23542300x8000000000000000117789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:39.204{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE9FDBC1118277219A0BAA1A2059F90,SHA256=1206855BDC0ADEDCC70557C204728F0B99991252763CF820E2EB10C47E24DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:39.126{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49B12265D65B1526B1C559D36BA9CE67,SHA256=E134DDBF216B2767FD5C09DF5BB1D939A3326B9399E2CF75DB43937E1CC7E805,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:38.985{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:40.189{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6754205CA183BF783BBC87C9847B28F,SHA256=D54BFF59BBEED2610A73500FB3110892CF56C69935F9C95959B5A1C65CB2CF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:40.016{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E5F21C3EC5AB21F334DE63DEA46E9D,SHA256=D4F0DB49441CB3A96C00B2B97BB3D7549DB0DD76FBCC6BD80127A2A72DC26921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.657{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.282{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4E74A2F9EF1B19599A1A4F8587E318,SHA256=B75D9F8096435152A3B8782CB44D3F57E5C147B7556CD910EC743931740BD6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:41.001{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADCA643CB022CEC3659DF4BF9C109E4,SHA256=4D9C4D41549390017EB16E6997180027AC97FBFBC101A94D1B795A1F154A25A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:42.376{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40D42BE497920DACF75AB23F4CB9696,SHA256=DD8DC9E74BA81781A806AB1B803E39270022B91CA5A665B62FB6FEBC4889C15C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:40.738{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51618-false10.0.1.12-8000- 23542300x800000000000000084841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:42.094{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F507F5FA348DDED449A9CC8566CA367,SHA256=A5BF93F1F495266AF8B4E001339EFD3BEDECD1B74679F3AA230DC08C3F49E024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:43.470{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EB161964675A5E744FBD114DF21C74,SHA256=A3AF45F49C9B8560592CC983EB02D75709529D9B13EB6EA2FF68F810D991EA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:43.395{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-158MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:43.189{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BA0FEAFF360CA63640E4FC26FA334A,SHA256=E109ECE04C4F9D5DF2A5AC16D8C74AA9B0702DB7C3CDB88E455201687D323AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:41.405{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000117807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:44.564{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA47C63CDE48864509ABD3B250EE3D4,SHA256=8811CB474EEC2AF40A5CDDAC9E6B6BDA24EB3FD9807F9135E84E0675F5092D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:44.409{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:44.283{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48A51FF7759B1F0BF9E3C97BA9D05C7,SHA256=CDADA96CB4A2F80FE877CC8D9BA1C51DA6E58F35625AFE91570401DFFED0B333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.657{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75743DDD7BD22E49787D2D77A044D10A,SHA256=DE94732248134E74358B9E4487DC33C29627B244E6282863398F7C9BC379F33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:45.381{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1B3045B8952B09E8C7196AE2B894EB,SHA256=BB069E3CE30F70B49EBEDD6184CFD977C43E994E61067E9C4F59666C25B9577E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.282{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:45.282{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:46.751{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F455913FE1FEDB5ABFFDC7DE6791F2C0,SHA256=309E74E399A6D0FC877A8C3D9AB8736AE53112D18FF8697B3A2C22BA2AFBE82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:46.475{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB386CFDFC3927590A34BAD5B54E64E,SHA256=91E05A02BB177B4670262D734B199514BC889ED1A443D28183E1624ABF65EE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:44.936{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:47.845{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420CA277842618349AC92012EA310633,SHA256=895AC594A23AE351AADC0A6A469A7A9516D27EC64EF4793D8B31DB8AF1905081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:47.568{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE394E94B56A2785F1E0171BA8CC32FD,SHA256=C680A4329E9C7E8312C273EA9398C5A7B67FBFCD007718CCEC9C98B27A13F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:48.954{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D1C918F7B0BECB87BCE00FA791EBF9,SHA256=1E7FF5C979A12E8D9262DDF00AEA2DB7B6D528445B9F42FAFF363EC5C0EDC16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:48.662{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D416CAEECE5313EE2EB806CA0C07B4F,SHA256=2A20DB1416B68C46B4B9E14EAF78D998D44F8A64156696E6CF409206FFE4434C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:45.757{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51619-false10.0.1.12-8000- 23542300x800000000000000084852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:49.772{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C072BAC85D5037BBC79A5C1B893CE0,SHA256=6DA86C2A5BECFD46F24F3BEF568CC0C0410A1939A20C9C54822AB70C9890806B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:50.865{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6124D353E7078ACB013A4A9D376508D1,SHA256=3506C4D3C5F78E2F6E56F311F76899967198658A1BEB8CE4E5DBC1263F415668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:50.048{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80B4AD0C2E33DCAEFCC438A1646FBEE,SHA256=EABD6EF8531F17C7D8102C71E5B6145B54CA048FEFB4A98BC171C5538FF06B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:51.959{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE7C0AC12718500B335C3A2AE921260,SHA256=C766325BDF85A4B616EACC7E3D7179BE803AC85B947F3E63C6639A9C47A286F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:51.142{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4FB394F5E157366789F906AEAEF41E,SHA256=FCDA88F79710E967F19F38AE431DA5FD9926F8877A7E5B793CECE4A6E56C5869,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:50.858{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:52.236{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F4C7764F9F0CC8EDE2EAB7FCBE4DD4,SHA256=2B205A44E44C9061EB3D3BEC51DD9B9A3CEC81CB8489652B9D7AEE8F3EC0A549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.772{9531C931-4EB0-623C-0505-000000004302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.475{9531C931-4EB0-623C-0405-000000004302}24002928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.256{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:52.257{9531C931-4EB0-623C-0405-000000004302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:53.329{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3DDD6ACE6FA5A1C0789D55E8D89A1F,SHA256=61140626D3229B8E56246370D28219AED7C8C76019F7BCE41306D8E4BAE07957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:53.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82FCC0EBEBCFDE6B8140BFFC60282F2,SHA256=1E15DB858004A5254E193D9F2049C679A9F7878C5F76074FE907F00902CC6585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:53.506{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93953CC45DBA14E2A11A59160028B2F6,SHA256=6A77138759F8AEE82A7F69D9EBEE1F43AD2EB6A607BB2DFBDCD4D9FFDAA82C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:54.423{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB1DA00CA62FD761AE368E96CF937D,SHA256=DC308EE432547CC4081BBDD9BEFBBBD24365738978FDF0ECA1CEE6ECEED233CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:54.600{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F4AE753E35269737369A6AACD5EB1B,SHA256=6ABDE61A5E0923A722CCA1B32677BC25E5FA4140D4607BF7DDE59C81D27F4A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:51.726{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51620-false10.0.1.12-8000- 23542300x800000000000000084900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.787{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4A29A75CEB9944A9F891C556D6574BC7,SHA256=2D65FB3DE634183C86B613C5F42A8EF0589095348617F2170B260517C2D8BA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.693{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB908F9AB726AEE26B48BC537ADC8F8,SHA256=261254196B37570537D374EB50D4BF275ED416567CE88525326BA5DB719DCA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:55.517{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB4A87487DE5BF8118B7D5BCFDC1E3,SHA256=D7C1FD1F63E8E8FF18130741609D81A197975EB14C831C08F1960640F9AE302F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.006{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:55.007{9531C931-4EB3-623C-0605-000000004302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.911{9531C931-4EB4-623C-0805-000000004302}4322704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000117833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero-cleaned.exeBinary Data 10341000x8000000000000000117832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.971{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.956{5F3DCEF0-28A1-623C-9400-000000004202}50243716C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.958{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe-----"C:\Temp\doublezero-cleaned.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=38A15145105BE943415EB1B1602C9C31,SHA256=0608FB940E1CE2EF38E3D16A6A0E436390AE87A193C4FE9AC7118510DB86B495,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000117823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.596{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B218035325E30820DDB3A37A5B3C4A5C,SHA256=8A6856815840CB1CE2714B389811E09D68E67FF7BA718F2E318EB52497881C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.659{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.660{9531C931-4EB4-623C-0805-000000004302}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.424{9531C931-4EB4-623C-0705-000000004302}26601328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.159{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.160{9531C931-4EB4-623C-0705-000000004302}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.380{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-158MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.752{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182497B6F9A448FAFB1829B778CACCE7,SHA256=E329F1356952D08B8BAA8625E092AE6F87CFF572108AABFA5E683B5B72027088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.330{9531C931-4EB5-623C-0905-000000004302}25921916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443D7EBB77FCB591DADD0C3F24DE3BA7,SHA256=FCEBCD247BF92C784865DCA4AE71D93D385D443FC550A847482E8A231161DDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.174{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:57.175{9531C931-4EB5-623C-0905-000000004302}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.394{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.300{5F3DCEF0-4EB4-623C-7705-000000004202}844ATTACKRANGE\AdministratorC:\Temp\doublezero-cleaned.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.190{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.175{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.159{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.129{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.065{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.018{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.003{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EB4-623C-7805-000000004202}7056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.987{5F3DCEF0-4EB4-623C-7805-000000004202}70564572C:\Windows\system32\conhost.exe{5F3DCEF0-4EB4-623C-7705-000000004202}844C:\Temp\doublezero-cleaned.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.949{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63221-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.949{00000000-0000-0000-0000-000000000000}844<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63221-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:56.875{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000117866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:58.818{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F2A4638BC14516CC31404C9E60228D,SHA256=924B40F5DFF39B7201DC093D7D8BD31A944A03F9F434484400ED87D4C9EFC176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:58.002{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D30E3AC44AE5A403737D3931FC7EBC2,SHA256=F361FA84B19C6335612B4E73DC5DB19AA2722956B73FC0BA519FD2DA4C13B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:58.130{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19E67A130E7D7E8F0FEBE53CF742D82,SHA256=258DCA3D90BF529BCFC1B086420C78BE14724869E6768EB0DA1BDE2712FB14F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.991{5F3DCEF0-4EB7-623C-7905-000000004202}5304ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000117914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.865{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000117913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.837{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.818{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.549{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.550{9531C931-4EB7-623C-0A05-000000004302}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:56.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51621-false10.0.1.12-8000- 23542300x800000000000000084945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:57:59.096{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461F1BBBA29C6A0A784823913C4B17C4,SHA256=D3E75FE8E80450FA15982C62DF8830FFC76E6E9AF0AF2948058A2DB5C95875DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.724{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.677{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.662{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50243552C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.646{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.630{5F3DCEF0-4EB7-623C-7A05-000000004202}64724308C:\Windows\system32\conhost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7A05-000000004202}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-28A1-623C-9400-000000004202}50242088C:\Windows\Explorer.EXE{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.615{5F3DCEF0-4EB7-623C-7905-000000004202}5304C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x8000000000000000117877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-VerSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\BinProductVersion(Empty) 13241300x8000000000000000117876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\LinkDate05/28/2071 22:00:51 13241300x8000000000000000117875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PubSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\Publisher(Empty) 13241300x8000000000000000117874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDB-PathSetValue2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\REGISTRY\A\{07b02f55-7c29-51bf-28d7-371d3b938546}\Root\InventoryApplicationFile\doublezero-clean|db7e310811bb3823\LowerCaseLongPathc:\temp\doublezero-cleaned.exe 924900x8000000000000000117873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000117872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.349{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 13241300x8000000000000000117871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:57:59.302{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero-cleaned.exeBinary Data 22542200x8000000000000000117870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:57.186{5F3DCEF0-4EB4-623C-7705-000000004202}844win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero-cleaned.exe 23542300x8000000000000000117917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:00.927{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1ED3C675132D48B8465E57CB3F2FCC,SHA256=677E7940731FB0683D40664FD559F1D5C5BD26C1BD60B0E4003E625F7198E36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:00.737{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99442F8C4AAD2B50EC1EA531DE5D8196,SHA256=346100BD4974550977765ED4E9A6FE45C87943162609B76D25C1F9A5CE47BB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:00.190{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6E44C8CEF5F547F29649DEF642F79D,SHA256=F996B5F2EAA215A7D5807E9210BB5F026FCD1636BA31E0BC548A207BDCB9A772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:00.146{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD575B1CB97F21D9461A0E4A56C371D1,SHA256=1904855380219A665E382E26A75DD668B9805E73370E4ACD95B9C0BDC87A88E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:01.284{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5D7D9B2AA4623AA0FAB85CDC62EF3F,SHA256=085D7B473B3C51E017DBE8434AD1F80EC4235741D93FCF1F071C11ACD0E96211,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000117921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.852{5F3DCEF0-4EB7-623C-7905-000000004202}5304win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 354300x8000000000000000117920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.008{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local64522- 354300x8000000000000000117919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.007{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53022- 354300x8000000000000000117918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.006{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59161- 23542300x800000000000000084963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:02.377{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AD384B0A78475BC356EBF63723C15B,SHA256=FBA4E17745E2F58D484AF2A8C7ECD330FA47830BDEB6DC7D18B5ABC35069F05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.505{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.506{5F3DCEF0-4EBA-623C-7B05-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.613{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63222-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:57:59.613{00000000-0000-0000-0000-000000000000}5304<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63222-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 13241300x8000000000000000117923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:58:02.037{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 23542300x8000000000000000117922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:02.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BB073016BB5AA28A49F5F4E1EB92AC,SHA256=46436CF07D1B2E6E4E9429DAB2CB552C7E96B32943BC8194A7572EB69D583F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:03.471{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1C875CBC9AE22CEDA5F33A98FC0162,SHA256=517C5B6CE940AE5D68BCD7EB84CAD008125D89F8A6852EE7A0D082502FED01D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:03.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB936F214C8500699D981D628E484C6,SHA256=6588B6A39128E7EA3A74087D716707BBC89C8ED85119F6237200E1B7F17B5AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:03.115{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB0F5551A94C4F459EDE14FA3F88652,SHA256=CF5BF2010FB4FCC0EEBFC60B894D4211A99A615FDA3869A8DFCAE4A5B6848264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:04.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A83E9C75C5197652B14BF198E120F82,SHA256=8C14019FD7F00AC1BBB768AC05D10B0627EED7622A87CA09D63F27D76BD43890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.537{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.538{5F3DCEF0-4EBC-623C-7D05-000000004202}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.302{5F3DCEF0-4EBC-623C-7C05-000000004202}3802696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.208{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA54973A530251AFE09DBA3E55C395,SHA256=FCDE6106EFE669CC36028D0BCA7BF0E4B6E5313F716DFAA0EE39C08F3A170BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:01.925{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000084965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:02.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51622-false10.0.1.12-8000- 10341000x8000000000000000117943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:04.037{5F3DCEF0-4EBC-623C-7C05-000000004202}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:05.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124A96A31429059E055C69298D8C4CBB,SHA256=1AC16D59CFF9A0256F87A3BA895AA63EB57318105BF49A2B09445E3B0B013B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.755{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DCF1D0A2872A412BD00563170F473C47,SHA256=115C1598B884ED47184C7CF854DC3C3CF6DDBF66783C9C0D0886165ABD3C37E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.302{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7A4479121D36AF5FFF0E2CDB4FA17,SHA256=6B2F8E014A65715B636F2EEF5A33396DE855A5E91527A3D4C266D2B33B5DE136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:06.752{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFDF1A3F5EE008081DDE61378AA6455,SHA256=5200A3C185E608364F3C5564B413A86D06916FC2336049C57B4E9564D639ED22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:06.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D598F27AB40BB899751D54D9D9EFF607,SHA256=00D103E5D6743A4E2DD3A170DF29EA647DB289C653D119EE810B13742BBDC138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:07.846{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A6AAD4A7340FD1C32A61C1B9FDE6C4,SHA256=44BE3A4F30A1338715DFEC506E00FBFDD960CFB421D1DAD9E0FEEC6537A638D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.787{5F3DCEF0-4EBF-623C-7F05-000000004202}22885052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.585{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.505{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21FE4C46D83ECFAFCD892C993425CB2,SHA256=E1BB7889051A71D40468AAF29C8AC8483C6771FD3A7B1A7ADFD46132CB784270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.458{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.445{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.446{5F3DCEF0-4EBF-623C-7F05-000000004202}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.349{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000117960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.361{5F3DCEF0-4EBF-623C-7E05-000000004202}5224C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\3.png"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000117959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.801{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63224-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000117958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:05.801{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63224-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x800000000000000084970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:08.940{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7968258AD5237A4E564D44C0FD9EB59,SHA256=E0A027AD3C31813407900930463E2EA81AD075E2E7E6FAAF1CC71EB55253503A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.974{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.975{5F3DCEF0-4EC0-623C-8105-000000004202}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.662{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02574D865A0266B34406BEE12C8BA41F,SHA256=4A3638F132ACBB58E44FF4150FFA6273B669FC93A19E04A29021D8903624DAC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.302{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:08.303{5F3DCEF0-4EC0-623C-8005-000000004202}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.771{5F3DCEF0-4EC1-623C-8205-000000004202}20362852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.708{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3A4238CA31853A430CA64A48EA662E,SHA256=EEE42C6C18460513BC55D8EC99EE598E4B2E5B41586ABEBD765A61A65240780C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.474{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.475{5F3DCEF0-4EC1-623C-8205-000000004202}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:09.211{5F3DCEF0-4EC0-623C-8105-000000004202}46922140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:10.802{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CEE6EA05BFBD1C3C2F0154CC996FC3,SHA256=A2B3F23A69A172B66423DABF72380F11F366CDCC0233DC3E6A1B355262DE72C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:08.769{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51623-false10.0.1.12-8000- 23542300x800000000000000084971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:10.034{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21DEE34E4AA394AE782F8BE8C2C77CA,SHA256=E6DD9154F0AFB2C9964F106EFBAE7275EE4D2A416F1F9D28A6A7026D57038D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:07.956{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:10.068{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B05715BEB82C02FFF2CADFE7FD40BC2,SHA256=E43240CDB4D4FF6F36BEA3E5CE29F8712CC9A5935D5A0B7CF983931A6F50AE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:11.896{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6FFFCDE7DB6F32B992F5F480D32C5A,SHA256=62A7FC2B04578F22C9AE1FECB6CF3E56EB9C29FDD8A2FA936EE021BB88F5B084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:11.127{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D9BDE6466D8D1B1D66DCA2D822BBB4,SHA256=BCEAAD5CFF99F690DC5E0A35C194330F6AF95402C3A2299DE40D3D03FA1D5407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:12.990{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98653B7CAC961FEE1DC936A2333CF9BD,SHA256=5304F39DEA53ED52192DDAE7A4E221F8B7021E4312113454F17AE90945E16A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:12.221{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AAE279A64B077B7554F60EAA5A8662,SHA256=EAE231499F1CE9A3D98B0E184C978CB11EB6D307124CBDD51056B15767879A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:13.315{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F586A8F3C67ECE1C3C2D46E613136C45,SHA256=0A0B1CA5BA00D3350973E418A3C2DA980FD303E7F5B4CBB6496002E0677BBF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:14.409{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B133710D2105DDBC950A48130A4448,SHA256=A8AD59FDFD6083BB4F2DA77ADC273E456CE240347AF97C68DEF38E70A42DA25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:14.083{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC90DC76852359C183D324E53D2E1141,SHA256=A6E619D42BDECA34A450479D4DC41223725590AC29BC17A2668B58AE39642B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:15.502{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2D717B042E19D89F0B04D8B2ED993A,SHA256=4B6A11B01F3F3FFEC9D4AAC83EB968FEF9D4748267470A283E23B9955CC37E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:13.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:15.177{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC83FEE468C26057377D30E9765E3B,SHA256=DA623F061F85AD2D3E12EC372BC2C0C5C8B3C0A4C8F5B39F2075AE74742FCB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:16.597{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87B34D3085EF1FC0DED1694D1620390,SHA256=FE404E854E1141891ADDBF97D289BDB2E12910693F74378E18E086866AEE6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:16.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9796044C8BB687F7FEC58BEC273FCF94,SHA256=0BE2C2757211C125277C8B61208F5802012254D8E516E71BDC0D6FAB7E78A129,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:14.566{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51624-false10.0.1.12-8000- 23542300x800000000000000084979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:17.707{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06827E97F036AA0CC9F770E009497FBA,SHA256=A699EAF46DC220DB9C8833D07051E489034342E851A159E079B340A747FB7245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:17.366{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D18F2A38E5D09C670E960DF3EA2C5D,SHA256=94F01693EDE57AE4F0041DEFC3425D3DB644264835723A237ED21E75D4CA1D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:18.816{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCDD5D948D09948C222EA320AAC4575,SHA256=69EE7626AECC478A72C2FBD15E088390F6C837CD3EF20D56CA3070EA6D091040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:18.460{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CA3AEAC2BEF39614BC1586E4DFD99C,SHA256=503926A3FB202FA39F8D8B1C4BDAD018D293F51F58A7B12627A1BCF58CF86FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:19.910{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ADC8C6D91EB83FADC305345F0BF54A,SHA256=031C0E2A4536BD1222CFBAD0564B0C51E6FE46C42CAF7E4A6510F4CABB8B38AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:19.554{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD041F9BB13AD08A4310B8B727409B63,SHA256=B24CCFC8BB10E985D3058F63C4C78AE353F6AD48C57F5D1A0D79D46D530A6D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:18.988{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.647{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD943E9274E2C9E1237A600220A2D54A,SHA256=195691AA5A8D87EF24D2D6633A9E4A4C1FFB205B836AD5A0CC5995A0F81F3191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.382{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.366{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.366{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.350{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.350{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.335{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.288{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000118034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.241{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\7-Zip.lnk2022-03-24 10:58:20.241 11241100x8000000000000000118033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.225{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\History.txt.lnk2022-03-24 10:58:20.225 10341000x8000000000000000118032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.210{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.210{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-28A1-623C-9400-000000004202}50244504C:\Windows\Explorer.EXE{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\system32\NOTEPAD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54 154100x8000000000000000118024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:20.147{5F3DCEF0-4ECC-623C-8305-000000004202}960C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\History.txtC:\Program Files\7-Zip\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:21.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478D0B177337B084BFB0C303431AC0E5,SHA256=BA1E0A435537ED23D2A7C5161C45895FB9993C84CF5361292CD72E90B8BE24E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:19.661{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51625-false10.0.1.12-8000- 23542300x800000000000000084983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:21.004{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB496119549884953DBCDEF5F384F12,SHA256=0FA86C37251DFC857ABEB9E7978897B370B8CE4648C6D637B83165AEF1542EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:21.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51D3C954D75A91B63CD6431BB35190C9,SHA256=9442679DC8F8464CA23C4A741DB3BFC7701F230C62593CEDF567E0BD29406C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:22.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E7DEDCD5E82C498A739225F70554D6,SHA256=52541FEB9310A35243A9E1C29E42FD6CB339CE0BBB6A9B4B594861B219BA2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:22.097{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2D2E1106E543EC29DB472F101DAB07,SHA256=D35AC3C16E8D214CCD7E96BEF87157824C942130F7B77BDD3AC46AF9416DFA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:23.929{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9CEDBECDBA8AB61D015C3F1F179B6,SHA256=4B369D760BB9655AAD6BB3403B01388A5218D7900C5BC9643A2B5AF24ACAA6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:23.191{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4224496B075EBB65554AF4DEB40F5FE,SHA256=DC6D0F26257360E00CED42037C06B46B9753253D1EABFA167625674801226778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:24.287{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5949D522351D04B48F18ACAD061AF9B,SHA256=A59F8B5A7959224F99F8BD2446FFF1AC1036BC598E8F2C27C852AFFAB13758AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:25.379{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9C1C56209D23E1B4754C6B2DFAC12,SHA256=EA65C6D71B763A863F0621EBA799013065A55C101D3020D3B1431A6DAE49B611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:25.022{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629A87B3BCA0B4941FF760B9668C03B5,SHA256=AE6A9B81704C87DCE60D93C7484E1B81DBE80F29F028DA1222E064C4DCC3A29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:25.004{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE1A5088BC8284564437444D8D371347,SHA256=E32214E7FA08030DE20CE65B2CB66A12A1520539FE9F3436AC5B005E4EFE05F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:24.739{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51626-false10.0.1.12-8000- 23542300x800000000000000084990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:26.488{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7A434605C60F909B79EE498F0070B,SHA256=CCDF28D064B7F935DD9B0BE61889217ADACA355506AD108FA3133B3A8F62EB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:24.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:26.116{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDF307227ECBD6DB002E2865078E5E9,SHA256=C936713FB4463639757ACA1C15ACE41ACC579471A44CF76DD1B732911FB0282D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:27.582{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C0BA3399643E4E9EDD414D2812A71C,SHA256=110F83300FDA63043C851DF1F6E6ECE127C4D5FD9C88CE56FE4E5DCAE43507F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:27.210{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7F98CFD63968AC9E4F35FDAE9F4DD,SHA256=B376FBE840448268673DFC2975DFE688D945E56AB4732B1D4CC7B0AF17482939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:28.675{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8988A76D10107AE6B5D221014EDE7B42,SHA256=2D0211F0767184412A218C8E9DB297128F6A0F9CBEFCCA80328620683598A166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:28.304{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF1FB0CE8E8A0013AA65107339D86EC,SHA256=A6DB03D5DD47705D7CF7A748457A32D26C4FABFBBDC81236424FD517A37E3665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:29.769{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9525F1A68E297558892C513A1EF33500,SHA256=D69FD84581620E37A0850F6464E5D3A95F12D8D51A78BC46455AC36185DB678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:29.397{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E60FFC6537363865B3F24E22BC56C19,SHA256=245D1B716491121B65007AC09F93B0CC3E59FC5942E64A8A1272B4CBA9B5866D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.863{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AF4E24D1F2F5D799CD279B3A579DD,SHA256=C6197ABD0ABDF9F22420F22B23FE41F7F55D0A75025CCD134F2C771ECF6F9605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:30.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFF93BD24DE47A30EC544DE8F675234,SHA256=4CCA88A69AC4AB7B1F109D81700541E0FF99760970FAB87804DDF97D02FD2D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:31.957{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159711993E70BD4E380CFF2F36573780,SHA256=E6DB5B4AA0DB7919AAAF680C824A9CCEFA55A6C481D6AD969BABA33B1FD0237B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE1CB989F034718117F3A1777A6DC06,SHA256=762DB2A8025FBB2D91064F04B183113277BE2F57C2AFE288191A379B4E5AC122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.585{5F3DCEF0-4ED7-623C-8405-000000004202}992ATTACKRANGE\AdministratorC:\Temp\doublezero.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-891.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000118098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.507{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000118097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.507{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.491{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:31.425{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.475{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.444{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.413{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.397{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.382{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.366{5F3DCEF0-4ED7-623C-8505-000000004202}49361828C:\Windows\system32\conhost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8505-000000004202}4936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961416C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.350{5F3DCEF0-28A1-623C-9400-000000004202}5024748C:\Windows\Explorer.EXE{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.353{5F3DCEF0-4ED7-623C-8405-000000004202}992C:\Temp\doublezero.exe-----"C:\Temp\doublezero.exe" C:\Temp\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=7D20FA01A703AFA8907E50417D27B0A4,SHA256=3B2E708EAA4744C76A633391CF2C983F4A098B46436525619E5EA44E105355FE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:32.600{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C859EC4922209ADB46ECB4C03BF9F45,SHA256=30054FBDD79A582329845B86B0EAE8B9DA5B6F52787F7223F06DE7A60352A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:32.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC183313D27FC3614603A27E3B7D8C21,SHA256=911881A5FC5F1A3DF0D35853ED397EF378AEDD2AF314A744969AB8FC59EED0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:33.694{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35449C2C32472E096A01DB8400579955,SHA256=E29F4DB1EE514FE04B9D3667206EFB2D151C78FEC81DCC6102485D728FB00429,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.localInvDBSetValue2022-03-24 10:58:33.632{5F3DCEF0-286D-623C-1200-000000004202}396C:\Windows\System32\svchost.exeHKU\S-1-5-21-121674864-1922237361-2357191555-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\doublezero.exeBinary Data 354300x800000000000000085000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.961{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51628-false10.0.1.12-8089- 354300x800000000000000084999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:30.677{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51627-false10.0.1.12-8000- 23542300x800000000000000084998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:33.050{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9A3F73520363F4E42C2B632021DA0D,SHA256=34931CD18AF7CAEDCF1F051F050815C5044A69A7E0121809620ABEC67966D6D5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.508{5F3DCEF0-4ED7-623C-8405-000000004202}992win-dc-tcontreras-attack-range-891.attackrange.local0fe80::44c5:ef28:42ec:7b5;::ffff:10.0.1.14;C:\Temp\doublezero.exe 354300x8000000000000000118105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.271{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63230-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:31.271{00000000-0000-0000-0000-000000000000}992<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63230-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:30.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:34.144{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED3C49B50E522B377ACE1CB9804B827,SHA256=56080E58A3ECE3828FE62CF243651FE74BD8FADA8EAD5FB3C07C06D2E3681801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.975{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.975{5F3DCEF0-28A1-623C-9400-000000004202}5024412C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-8F00-000000004202}47164784C:\Windows\system32\taskhostw.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+9d94|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+9d94|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50246424C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10c19|C:\Windows\System32\SHELL32.dll+bb850|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.960{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.944{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f3|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.928{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-4EDA-623C-8605-000000004202}42047020C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+ce11|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.923{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.913{5F3DCEF0-4EDA-623C-8605-000000004202}42047020C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5f3|C:\Program Files\Mozilla Firefox\firefox.exe+991d|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286D-623C-1200-000000004202}3961060C:\Windows\System32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.897{5F3DCEF0-28A1-623C-9400-000000004202}50247088C:\Windows\Explorer.EXE{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\windows.storage.dll+2d15e|C:\Windows\System32\windows.storage.dll+2d361|C:\Windows\System32\windows.storage.dll+2cf9f|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000118110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.904{5F3DCEF0-4EDA-623C-8605-000000004202}4204C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.679{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CD19FD21230F2D163E9B2C800E6A9,SHA256=8C7D8023B7397A0D489EBF8729D888AC6A6E9F6DA987C9CB4086669B4C46AC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:35.238{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13E3BB56B27729CFF7488C1A15A5C1C,SHA256=01AB23CD59E14452591107BC249AA48ED5B30345DEFA3F5A592C114D558EA92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.897{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81825D45CD69907F698CA60DA0B66AAA,SHA256=FBCBE09883D9D64B44BE56BF080CA692AB4A7B1C880D0038C70429E08742F1ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.882{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.882{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.859{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.859{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.859{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.859{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.844{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.828{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.828{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+edd4e2|C:\Program Files\Mozilla Firefox\xul.dll+bafbc2|C:\Program Files\Mozilla Firefox\xul.dll+26a242|C:\Program Files\Mozilla Firefox\xul.dll+26a01a|C:\Program Files\Mozilla Firefox\xul.dll+ef9ae3|C:\Program Files\Mozilla Firefox\xul.dll+1b41db8|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b452c6|C:\Program Files\Mozilla Firefox\xul.dll+17a3f09|C:\Program Files\Mozilla Firefox\xul.dll+f2d426|C:\Program Files\Mozilla Firefox\xul.dll+1b3f0a7|C:\Program Files\Mozilla Firefox\xul.dll+17a46df|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+f165c|C:\Program Files\Mozilla Firefox\xul.dll+10f74f|C:\Program Files\Mozilla Firefox\xul.dll+119814e|C:\Program Files\Mozilla Firefox\xul.dll+8a1798|C:\Program Files\Mozilla Firefox\xul.dll+8a1ec6|C:\Program Files\Mozilla Firefox\xul.dll+213aba|C:\Program Files\Mozilla Firefox\xul.dll+c1f615|C:\Program Files\Mozilla Firefox\xul.dll+81b371 10341000x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.813{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.4.43636842C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.4.43636842C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.3.126799269C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.813{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.798{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.777{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e4819c|C:\Program Files\Mozilla Firefox\xul.dll+e4a78d|C:\Program Files\Mozilla Firefox\xul.dll+c4d8af|C:\Program Files\Mozilla Firefox\xul.dll+c4a9d5|C:\Program Files\Mozilla Firefox\xul.dll+2728df|C:\Program Files\Mozilla Firefox\xul.dll+272491|C:\Program Files\Mozilla Firefox\xul.dll+fa1ddf|C:\Program Files\Mozilla Firefox\xul.dll+17a4fbb|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+25074e|C:\Program Files\Mozilla Firefox\xul.dll+21dc6b|C:\Program Files\Mozilla Firefox\xul.dll+81b371|C:\Program Files\Mozilla Firefox\xul.dll+177769c|C:\Program Files\Mozilla Firefox\xul.dll+187a668|C:\Program Files\Mozilla Firefox\xul.dll+1ac017b|C:\Program Files\Mozilla Firefox\xul.dll+172d9d7|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1 10341000x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.764{5F3DCEF0-4EDB-623C-8A05-000000004202}6644C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.3.1267992697\1470251075" -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 5124 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 3176 2431ff5a248 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.759{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.743{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.3.126799269C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.743{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A48E09979F462A74BE21BB0418ABBE,SHA256=5CD4411C0337D5347417DD316FB058B12CA480EA1170F7A875F08367104C5668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.712{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.696{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.663{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.647{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F63A28850AD1B787217DB56DF0A3BB6,SHA256=356391AA3987E8387BE69D3D3EC90E538BD668C9BA607F29E36165A918575BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.616{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.616{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.585{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.569{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.569{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.553{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.553{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.538{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.538{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.522{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.2.22996049C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.2.22996049C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.1.25441238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.507{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e4819c|C:\Program Files\Mozilla Firefox\xul.dll+e4a78d|C:\Program Files\Mozilla Firefox\xul.dll+c4d8af|C:\Program Files\Mozilla Firefox\xul.dll+c4a9d5|C:\Program Files\Mozilla Firefox\xul.dll+2728df|C:\Program Files\Mozilla Firefox\xul.dll+272491|C:\Program Files\Mozilla Firefox\xul.dll+fa1ddf|C:\Program Files\Mozilla Firefox\xul.dll+17a4fbb|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+257501|C:\Program Files\Mozilla Firefox\xul.dll+34c1ce|C:\Program Files\Mozilla Firefox\xul.dll+cf0bd6|C:\Program Files\Mozilla Firefox\xul.dll+1793840|C:\Program Files\Mozilla Firefox\xul.dll+1729088|C:\Program Files\Mozilla Firefox\xul.dll+16f9f20|C:\Program Files\Mozilla Firefox\xul.dll+1be72c8|C:\Program Files\Mozilla Firefox\xul.dll+1729521 10341000x8000000000000000118206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.476{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.1.254412388\1619422930" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 342 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 2148 24330f87548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.475{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.460{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.1.25441238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.444{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+edd4e2|C:\Program Files\Mozilla Firefox\xul.dll+bafbc2|C:\Program Files\Mozilla Firefox\xul.dll+26a242|C:\Program Files\Mozilla Firefox\xul.dll+26a01a|C:\Program Files\Mozilla Firefox\xul.dll+ef9ae3|C:\Program Files\Mozilla Firefox\xul.dll+1b41db8|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b431ed|C:\Program Files\Mozilla Firefox\xul.dll+1b452c6|C:\Program Files\Mozilla Firefox\xul.dll+17a3f09|C:\Program Files\Mozilla Firefox\xul.dll+17a33d3|C:\Program Files\Mozilla Firefox\xul.dll+c4d028|C:\Program Files\Mozilla Firefox\xul.dll+257501|C:\Program Files\Mozilla Firefox\xul.dll+34c1ce|C:\Program Files\Mozilla Firefox\xul.dll+cf0bd6|C:\Program Files\Mozilla Firefox\xul.dll+1793840|C:\Program Files\Mozilla Firefox\xul.dll+1729088 23542300x8000000000000000118169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.288{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443EB3B8118393E765FB1001A420632E,SHA256=E9D1C389D842E07DA76CBCB577531F5D7BB6B8C2013D74C307A820BDE688D05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.272{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.272{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.194{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\61ch5vml.default-release\cache2\doomed\16964MD5=BE9692AEE9DEDAFEEE3CABADA56B56A0,SHA256=4F2C83BBA3B4153FDEC91D9F527B780CE172307E0FF5DF1E49DC6AA86495860D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.194{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.178{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.163{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.163{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.0.148785646C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.163{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:35.163{5F3DCEF0-4EDB-623C-8805-000000004202}4216\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+178ca1f|C:\Program Files\Mozilla Firefox\xul.dll+9b0346|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.152{5F3DCEF0-4EDB-623C-8805-000000004202}4216C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.0.1487856468\1007623588" -parentBuildID 20220313140707 -prefsHandle 1292 -prefMapHandle 1304 -prefsLen 1 -prefMapSize 252311 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 1396 2432c3eb948 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000118147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.0.148785646C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:35.147{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.085{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.085{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.007{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.897{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\search.json.mozlz4MD5=25C4D85756615B5AD2C847522ACD7C78,SHA256=7BC33AEB07A20D9FA293C77E9AE3D87C2609CDFFBFF9090F180EFFA9F65E389A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.813{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C586E5746062B8C3B57949ECF41C50,SHA256=AEC99EAB98CB8A89DBB82D88F5E53970D50C1479F2164DAFF1EF572CCA84885A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.505{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63234-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.503{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58059- 354300x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.501{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58485- 354300x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.501{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57979- 354300x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.472{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63233-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.465{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55652- 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.457{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57531- 22542200x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196youtube-ui.l.google.com0172.217.23.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.181.238;172.217.16.142;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.186.110;142.250.186.142;142.250.186.174;172.217.18.110;142.250.184.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.184.206;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.186.110;::ffff:142.250.186.142;::ffff:142.250.186.174;::ffff:172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com0142.250.186.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196googlemail.l.google.com0142.250.185.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.464{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com0::ffff:142.250.186.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.463{5F3DCEF0-4EDA-623C-8705-000000004202}4196mail.google.com0type: 5 googlemail.l.google.com;::ffff:142.250.185.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.139{5F3DCEF0-4EDA-623C-8705-000000004202}4196cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.097{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.095{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.868{5F3DCEF0-4EDA-623C-8705-000000004202}4196d2nxq2uap88usk.cloudfront.net02600:9000:2156:3600:a:da5e:7900:93a1;2600:9000:2156:f800:a:da5e:7900:93a1;2600:9000:2156:3000:a:da5e:7900:93a1;2600:9000:2156:c600:a:da5e:7900:93a1;2600:9000:2156:6600:a:da5e:7900:93a1;2600:9000:2156:9a00:a:da5e:7900:93a1;2600:9000:2156:ec00:a:da5e:7900:93a1;2600:9000:2156:5c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.862{5F3DCEF0-4EDA-623C-8705-000000004202}4196d2nxq2uap88usk.cloudfront.net018.66.139.97;18.66.139.17;18.66.139.67;18.66.139.125;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.853{5F3DCEF0-4EDA-623C-8705-000000004202}4196a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a4;2a02:26f0:1700:f::1737:a194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.850{5F3DCEF0-4EDA-623C-8705-000000004202}4196a1887.dscq.akamai.net02.22.117.227;2.22.118.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.849{5F3DCEF0-4EDA-623C-8705-000000004202}4196r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.118.162;::ffff:2.22.117.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.734{5F3DCEF0-4EDA-623C-8705-000000004202}4196example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.734{5F3DCEF0-4EDA-623C-8705-000000004202}4196example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.700{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.698{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.695{5F3DCEF0-4EDA-623C-8705-000000004202}4196detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:36.327{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E673D448A610151073384ACC6A02DA7,SHA256=EB93E64B1D7DC39051F2DF3BD326B3FEE882F0F7C2D4E30E1E8597D3763F25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EFF8C144769E69AE2489FEDEF21FB8,SHA256=1EBF22CC0444D252B0F23FE8EA1345EC983095E70981EAD828037227866EFBCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.628{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.613{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.613{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.10.24519963C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.10.24519963C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.9.99118603C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.597{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.582{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.581{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.576{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.575{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.570{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.9.991186031\1721919520" -childID 5 -isForBrowser -prefsHandle 4700 -prefMapHandle 4692 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4424 24335397b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.560{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4851B7F330CFBEE830BBDE77CA93EE75,SHA256=0A8F457217FB7D8B67BDCE8C9B14DE0DA1BF0FF87DED4D6D06C8E4E8E257AA29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.9.99118603C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286D-623C-1100-000000004202}4081592C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.544{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.544{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722249F40A509514F84758E0EB741A2,SHA256=87EE78B1EB0F1A242876A8AE15FA7730A58C477B5033526809E324EB35C6599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\pending_pings\475a15dc-a4a4-44c2-bf68-39132ce0c455MD5=4FAC465840CAAD8BD0300CACFD98FB13,SHA256=12EF0099CDDDFE42190CD76A31AA87476AF68D2CD07EA01691FA2C5CD9377207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.8.162184329C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.8.162184329C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.6.213627571C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.529{5F3DCEF0-4EDA-623C-8705-000000004202}4196\LOCAL\cubeb-pipe-4196-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.513{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.513{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.513{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+52caa|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.513{5F3DCEF0-4EDB-623C-8805-000000004202}4216\chrome.4196.7.131350989C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.7.131350989C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19f5261|C:\Program Files\Mozilla Firefox\xul.dll+19f3976|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.5.199665256C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41965248C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11d48b|C:\Program Files\Mozilla Firefox\xul.dll+122dedf|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-ConnectPipe2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}4196\gecko-crash-server-pipe.4196C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.497{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.495{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.6.2136275714\887575775" -childID 4 -isForBrowser -prefsHandle 4356 -prefMapHandle 4360 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4352 24336ab1848 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.482{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.482{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.6.213627571C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.481{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e48fb0|C:\Program Files\Mozilla Firefox\xul.dll+e57532|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+19fe955|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+189938|C:\Program Files\Mozilla Firefox\xul.dll+18883f|C:\Program Files\Mozilla Firefox\xul.dll+446b611|C:\Program Files\Mozilla Firefox\xul.dll+44d5796|C:\Program Files\Mozilla Firefox\xul.dll+44d65b9|C:\Program Files\Mozilla Firefox\xul.dll+1fbc193|C:\Program Files\Mozilla Firefox\firefox.exe+9e19|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.481{5F3DCEF0-4EDA-623C-8705-000000004202}41966592C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9b4069|C:\Program Files\Mozilla Firefox\xul.dll+7c6504|C:\Program Files\Mozilla Firefox\xul.dll+19f352f|C:\Program Files\Mozilla Firefox\xul.dll+12ad5|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+126d0|C:\Program Files\Mozilla Firefox\xul.dll+99b601|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-4EDA-623C-8705-000000004202}41961044C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f553|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30d2d|C:\Program Files\Mozilla Firefox\firefox.exe+2ff55|C:\Program Files\Mozilla Firefox\xul.dll+2075b4a|C:\Program Files\Mozilla Firefox\xul.dll+9b04d4|C:\Program Files\Mozilla Firefox\xul.dll+9ae575|C:\Program Files\Mozilla Firefox\xul.dll+9b4eee|C:\Program Files\Mozilla Firefox\xul.dll+83f654|C:\Program Files\Mozilla Firefox\xul.dll+16ade00|C:\Program Files\Mozilla Firefox\xul.dll+16ac888|C:\Program Files\Mozilla Firefox\xul.dll+99e59f|C:\Program Files\Mozilla Firefox\xul.dll+2052e|C:\Program Files\Mozilla Firefox\xul.dll+84292e|C:\Program Files\Mozilla Firefox\nss3.dll+774c|C:\Program Files\Mozilla Firefox\nss3.dll+90511|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1e1d8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.474{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe98.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.5.1996652565\1511450133" -childID 3 -isForBrowser -prefsHandle 4312 -prefMapHandle 4308 -prefsLen 5846 -prefMapSize 252311 -jsInitHandle 1112 -jsInitLen 279424 -parentBuildID 20220313140707 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4272 24336006548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2LowMD5=4709CFE20E83A91570AD6B8305B1EA90,SHA256=6D20A6F85F4FCAFE0A962F8935B234B813FF62F83AC40FC1D6560DF27F56140C,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.460{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:36.460{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.5.199665256C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.382{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=3E99D8C3598B975B3013E2983DA020C1,SHA256=56D6A562B683C8DDBD99A9F16C0C404E0D85F73FB401AA9754D8E37DE8645358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=B6A456CFE73F6ED156B30F2CB516A9E7,SHA256=A0B1C66FAD9554B83DEBABB1552B7114908664788D97BF639A5C053AECFB137A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=28AF19DC3A3AFB1D99CE04E3B4C7BFA0,SHA256=105C3C57060871E237E6BD06C479B7D8549B64703F53BD71B9C007D880FB2C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.345{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=FE7AAC1FC1F8FBD95AA8ECA94FCCEF38,SHA256=DAB3D8BAC5B27A6BC30F8EDD20EF2F4E06BE97FA929D08957120F7D7F6D4C7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4686ACA0CFE0DC100188982B04460041,SHA256=49B4F69C2AD2E91DB39A3F010270302F9D66856AD60503DF6A2EB8BCB8947052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=90CBD0741485E02018F90036B7923C8B,SHA256=84C2D7A1E386AA867CBC9726B8E1C1C5C948875AADB3303CE357735B250BC963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=114BEB306193FFF6445B055669D2105B,SHA256=A76BCEE219785173021E995530DC82EA205B7290DF20E54358319348244171E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=7523E0B9331A32E286E7F4A1E4D90C6D,SHA256=4D07F603CD3E5E3F0976BE9B21A71741ABB7C7D89790531E066C63863332A09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=CA084295B40F5D4342065B3F08627114,SHA256=D8F7A87040C5C92221964961880A66C9230A485F55F6386234316F9CF6C6FE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4D77AFD009D5DDDF6868B784B0E5FCD6,SHA256=F12AF93585B6FF2C89693D53C4324A701422A399ECE90C0D309D9E2B70B0E451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=F78EC185E5B73DE25D4431B711C9A627,SHA256=64098497174BC25A2458E8BE66C7492F2FD43B1404B3005191D82676F46ED0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=E459A6B19F96D063B6380BFAA5B1D6BA,SHA256=120D2C0A96D01E50E9BA1EE82CBEC67710825BFE166601744505AB5A6068F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=4686ACA0CFE0DC100188982B04460041,SHA256=49B4F69C2AD2E91DB39A3F010270302F9D66856AD60503DF6A2EB8BCB8947052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.329{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=5759D53E98913F87495CCE4716ACD190,SHA256=36A0C43F54225A72F7D9B28A83447AF75727472B8AC5135CF34B37062954E021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-63232-false127.0.0.1-63231- 10341000x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.071{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.029{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2F8E8D82031FB5BDC1E59D9F6EAAFE4C,SHA256=DA02037AF4AA0602989C0F373D44B915B588AC836F0760A1A99F6D4650D75C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.927{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A2689C316CC3A0F930E0A5C133232,SHA256=7370B495DC1F8CBA656B6655EA3D974CA32EAAAE90BDF3D7BD4478A6B1FF7B72,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.477{5F3DCEF0-4EDA-623C-8705-000000004202}4196e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.476{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.475{5F3DCEF0-4EDA-623C-8705-000000004202}4196e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.475{5F3DCEF0-4EDA-623C-8705-000000004202}4196e2701.dsca.akamaiedge.net095.100.76.75;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.474{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.trivago.de0type: 5 www.trivago.de.edgekey.net;type: 5 e2701.dsca.akamaiedge.net;::ffff:95.100.76.75;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.473{5F3DCEF0-4EDA-623C-8705-000000004202}4196e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.473{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.471{5F3DCEF0-4EDA-623C-8705-000000004202}4196dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.471{5F3DCEF0-4EDA-623C-8705-000000004202}4196star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.469{5F3DCEF0-4EDA-623C-8705-000000004202}4196dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.468{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.468{5F3DCEF0-4EDA-623C-8705-000000004202}4196star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.467{5F3DCEF0-4EDA-623C-8705-000000004202}4196www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.467{5F3DCEF0-4EDA-623C-8705-000000004202}4196youtube-ui.l.google.com02a00:1450:4001:813::200e;2a00:1450:4001:831::200e;2a00:1450:4001:82f::200e;2a00:1450:4001:812::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.466{5F3DCEF0-4EDA-623C-8705-000000004202}4196accounts.google.com02a00:1450:4001:812::200d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.465{5F3DCEF0-4EDA-623C-8705-000000004202}4196googlemail.l.google.com02a00:1450:4001:812::2005;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:37.420{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE39E649FC07A799A37307C2188E18A,SHA256=0686C7BD02DCB038D47F02B7C1E48C201E886148B892EDEB0CC1E395D524CDFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.243{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55354- 354300x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.240{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55538- 354300x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.237{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53653- 354300x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.237{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55953- 354300x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.235{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54723- 354300x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.234{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65381- 354300x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.232{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local51931- 354300x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.232{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57058- 354300x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56444- 354300x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64995- 354300x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50223- 354300x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.230{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local51852- 354300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.229{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54111- 354300x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.227{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local52232- 354300x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.227{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56543- 354300x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.122{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63248-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.512{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715457D1E5F32E56AE34D4144788070E,SHA256=4266D8EDEA73BDFC15DDF312C861053F3912846ADB4403C6A8594C05C953BAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.344{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.996{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63239-false52.89.17.198ec2-52-89-17-198.us-west-2.compute.amazonaws.com443https 354300x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.905{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63246-false93.184.220.29-80http 354300x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.905{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63247-false93.184.220.29-80http 354300x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.903{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54069- 354300x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.901{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local52313- 354300x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.897{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63245-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.878{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64518- 354300x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.874{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63243-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.874{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63242-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.871{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65050- 354300x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.871{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65224- 354300x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.869{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65155- 354300x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.863{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63240-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.862{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63241-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.861{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local54478- 354300x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.861{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55110- 354300x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.846{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59570- 354300x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.845{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local65095- 354300x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.628{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local49200- 354300x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.625{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58812- 354300x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.617{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63237-false2.22.118.162a2-22-118-162.deploy.static.akamaitechnologies.com80http 354300x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.617{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local55229- 354300x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.613{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local57139- 354300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.581{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63236-false18.66.139.69server-18-66-139-69.fra60.r.cloudfront.net443https 354300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.576{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50577- 354300x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.575{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local49355- 354300x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.566{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58213- 354300x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:35.561{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63235-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:34.813{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-63232-false127.0.0.1-63231- 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.013{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:37.013{5F3DCEF0-287B-623C-3600-000000004202}23843084C:\Windows\sysmon64.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:38.514{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4BFE56E4E0A54D0CB8B27B97141F08,SHA256=B44ADD3E36D0B0476AD7ACD50B29837049361952058E82B56EB2E7AF420E136A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:38.843{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832E6A87A079CAA4E583641BA67967E,SHA256=C5CE01CB08946EC04F5FAF1D7A0E464684E124EEBFB7D2B0AAB4DFFAF944B64C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.486{5F3DCEF0-4EDA-623C-8705-000000004202}4196e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.478{5F3DCEF0-4EDA-623C-8705-000000004202}4196e2701.dsca.akamaiedge.net02a02:26f0:3500:899::a8d;2a02:26f0:3500:890::a8d;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.243{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local50368- 354300x800000000000000085005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:35.750{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51629-false10.0.1.12-8000- 23542300x8000000000000000118670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.776{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF706357C368EB931FE6AE396D6955E7,SHA256=33C6BB03339A48CC7A975B1E80AFE57AC98C9B00DA19370683EAFAD9336BA9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:39.967{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0853987947243C29EB1C9626CE95732,SHA256=DB9255EE48A380D379F380BFD8F6DC5311647946B03CEDA8A21990A4F7B7C27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:39.608{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAC7D300F468423694B4F49AFBBCE97,SHA256=E044A4DCF37E611499291AADB4416CDA28910023BE720309D2B0BD6538366BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.682{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C337D2CC3E537FCA40FEC24CA9CF35,SHA256=A6762555BE069CBAD5833E993BACB920A8DD0B77811B6CF8CF4F186A4C375F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.667{5F3DCEF0-4EDF-623C-9005-000000004202}2156ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\64ecd609-3216-4146-b6e4-08bac6e952fcMD5=7942C6F7C308B3CFB9AEB5FBB80561CD,SHA256=6761DBC8E5B60D9AF960C177CE99A8C4B8A78666A16FBFA83E2D2F1596AB4E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.667{5F3DCEF0-4EDF-623C-8E05-000000004202}1040ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\842e65d8-9a42-4c94-aa16-60f25765eefcMD5=E47D04A11914AA40C31C92CDE9BBC36A,SHA256=FC1B75F785731DAE0E28A03AF6D25B341696FC2E724E560A034842F13CDF6F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.442{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.430{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+2da4f|c:\windows\system32\rpcss.dll+30e76|c:\windows\system32\rpcss.dll+3e52a|C:\Windows\System32\RPCRT4.dll+6a3e8|C:\Windows\System32\RPCRT4.dll+2ef39|C:\Windows\System32\RPCRT4.dll+2ed53|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.430{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.395{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.379{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.379{5F3DCEF0-286B-623C-0B00-000000004202}620816C:\Windows\system32\lsass.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.358{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=B150CFFCC32C6D506F6B5C82BA9305A4,SHA256=B680AC5F1FC562B57A956CB207D733CC0B935235B7B9D30C70AAFFC7AD93F5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.342{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\glean\db\data.safe.binMD5=0A7AC77FFEA2A570E446893B50984DBD,SHA256=147288FFA6E3D68E9B0321B64A8E6A4F1B4018F0BC38B1088E22B3A5D38A6CB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:36.908{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local56085- 10341000x8000000000000000118645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-4EDF-623C-9105-000000004202}58366564C:\Windows\system32\conhost.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601428C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.326{5F3DCEF0-286D-623C-1600-000000004202}12601344C:\Windows\system32\svchost.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\aborted-session-pingMD5=4F5AC6DA7629C3CEC4A7D8CA4FA23B5C,SHA256=3C7E9F656D6524385A48C3391A108FA31EB16EBCBA8090A35349CA3D3A3D3953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDF-623C-8F05-000000004202}60442040C:\Windows\system32\conhost.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-9105-000000004202}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29804996C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-289E-623C-8500-000000004202}29806004C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-8F05-000000004202}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.311{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+21b7f6f|C:\Program Files\Mozilla Firefox\xul.dll+21b7d85|C:\Program Files\Mozilla Firefox\xul.dll+21b7dd1|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1c45af6|C:\Program Files\Mozilla Firefox\xul.dll+17b5b20|C:\Program Files\Mozilla Firefox\xul.dll+19bdd87|C:\Program Files\Mozilla Firefox\xul.dll+17a98ef|C:\Program Files\Mozilla Firefox\xul.dll+16ae50e|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 154100x8000000000000000118630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.312{5F3DCEF0-4EDF-623C-9005-000000004202}2156C:\Program Files\Mozilla Firefox\pingsender.exe98.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/64ecd609-3216-4146-b6e4-08bac6e952fc/main/Firefox/98.0.1/release/20220313140707?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\64ecd609-3216-4146-b6e4-08bac6e952fcC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=DE32EAEA8BDF50D0DE7EF0C9FAF26172,SHA256=240E078B94BE8BC6BF3A14F914D6286985F9E50481504792EBCA1BFF579A50B2,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000118629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-289E-623C-8500-000000004202}29802452C:\Windows\system32\csrss.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.295{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+21b7f6f|C:\Program Files\Mozilla Firefox\xul.dll+21b7d85|C:\Program Files\Mozilla Firefox\xul.dll+21b7dd1|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1c45af6|C:\Program Files\Mozilla Firefox\xul.dll+17b5b20|C:\Program Files\Mozilla Firefox\xul.dll+19bdd87|C:\Program Files\Mozilla Firefox\xul.dll+17a98ef|C:\Program Files\Mozilla Firefox\xul.dll+16ae50e|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 154100x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.304{5F3DCEF0-4EDF-623C-8E05-000000004202}1040C:\Program Files\Mozilla Firefox\pingsender.exe98.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/842e65d8-9a42-4c94-aa16-60f25765eefc/event/Firefox/98.0.1/release/20220313140707?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\saved-telemetry-pings\842e65d8-9a42-4c94-aa16-60f25765eefcC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2MediumMD5=DE32EAEA8BDF50D0DE7EF0C9FAF26172,SHA256=240E078B94BE8BC6BF3A14F914D6286985F9E50481504792EBCA1BFF579A50B2,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.274{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_394d91c7-f94d-42bb-96da-943ca61c6c9d.jsonMD5=FF2250EA1F8A0EA4ECC8E8382E89A08C,SHA256=D864E7F2029A4A592681932E37B3CBAD8E9316D96CE508EEDA28F2BF55226D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.242{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\datareporting\session-state.jsonMD5=2E6487A1A983202431382472C87F609F,SHA256=820B941B2BC93FFD43C9C1A216AF2170FBBD67A362764E58E98045101F1BD2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=DEAE51541C2FFAE0FCF626D7D5DDA4E7,SHA256=6132A3ECDF554D239C7BF8EEBE63F5EB52FAB26DA8F1515AE1C26B83222BD16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9488BAC6C91B2AF25626A6A96DB6541F,SHA256=CD34FA24BF3FD2C0B7F4E52D3BFABA3B4A6AC64F4DD640A0504E40B12AC9E98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\xulstore.jsonMD5=C0AA4F6F7078705CF225CC9703918D17,SHA256=C27A69EBDC4BF33CDA12D758E155B64789F68B2FB69C33694314A7BD7096330A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.211{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\favicons.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.15.213033821C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.14.100116178C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\places.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.13.113009575C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.196{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.12.50840877C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8D05-000000004202}4220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8C05-000000004202}628C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.179{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDC-623C-8B05-000000004202}644C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.178{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e584e9|C:\Program Files\Mozilla Firefox\xul.dll+e4e32c|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|C:\Program Files\Mozilla Firefox\xul.dll+1bf25d1|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+124ec3|C:\Program Files\Mozilla Firefox\xul.dll+1296c3c|C:\Program Files\Mozilla Firefox\xul.dll+1bfc96b|C:\Program Files\Mozilla Firefox\xul.dll+1bf2c30|C:\Program Files\Mozilla Firefox\xul.dll+17b5f9c|C:\Program Files\Mozilla Firefox\xul.dll+1764887|UNKNOWN(00000100869C1E54) 23542300x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.176{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\SiteSecurityServiceState.txt2022-03-23 15:09:01.549 23542300x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\SiteSecurityServiceState.txtMD5=F43E6400FB86DCA284D74BB7A90F63DE,SHA256=D93789E4262585BB1B802913643F71E4F3CAD63447713B83DCC7E042EA423AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.174{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-CreatePipe2022-03-24 10:58:39.158{5F3DCEF0-4EDA-623C-8705-000000004202}4196\chrome.4196.11.101309459C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.142{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-4EDA-623C-8705-000000004202}4196C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.142{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE92DE6C5BEF9F50D6145A0E4037483B,SHA256=5DD8F9EC16BA54AB1A224CD8FFACAE43F166ED9A9FFF74D48717D6C31217479C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.127{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=EB9A0EC25705DAD9BFCD77FB6C93F110,SHA256=C8ABD496EC2F826AAFE1A74F5A6B75D5AFE20E5F10076B562D170B0A7B531F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.113{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\61ch5vml.default-release\startupCache\startupCache.8.littleMD5=E2638351A5D56E5FD3CCD44B2A7EE357,SHA256=5CC0503E620F8639E7686546C9FD1DBF65BF7F676FE5CF0CBFC2517E7E2E15F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.095{5F3DCEF0-4EDA-623C-8705-000000004202}41967068C:\Program Files\Mozilla Firefox\firefox.exe{5F3DCEF0-4EDB-623C-8905-000000004202}3828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27660|C:\Program Files\Mozilla Firefox\xul.dll+e5e3ed|C:\Program Files\Mozilla Firefox\xul.dll+e5de37|C:\Program Files\Mozilla Firefox\xul.dll+84e512|C:\Program Files\Mozilla Firefox\xul.dll+841441|C:\Program Files\Mozilla Firefox\xul.dll+19d5b03|C:\Program Files\Mozilla Firefox\xul.dll+19d4c53|C:\Program Files\Mozilla Firefox\xul.dll+16aebda|C:\Program Files\Mozilla Firefox\xul.dll+1fb8912|C:\Program Files\Mozilla Firefox\xul.dll+1a23f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25692|UNKNOWN(00000100869E1FDA) 23542300x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.080{5F3DCEF0-4EDA-623C-8705-000000004202}4196ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\61ch5vml.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:40.870{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424BE944872E0905ADD09A66092A7EA8,SHA256=BE578A7CFC4D87F24D9D3F133E2C39140E56C5D0815576C5C1E12296CF187C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:40.702{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD9D99E7971537FE3E07622F5BBE571,SHA256=11CAC48D8E97CE4D803F89DE56DEF9573535947590CDA0098DDBC42C4B00F1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.964{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7DCB1CEB5FA2EF71B35713B1B87ADB,SHA256=EED1483D7D7D7177AD38051CB0D16EB6C5677B043F88566DFE8F9D3011EF74E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:41.795{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0DA2C43018DC3A4F0786937BCFD202,SHA256=00856BA17080DE675BA5A2D494FC62C05D633411F5B4CE6652166F2941697681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.682{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.215{00000000-0000-0000-0000-000000000000}2156<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63250-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000118674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.180{00000000-0000-0000-0000-000000000000}1040<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63249-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 22542200x8000000000000000118673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000118672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:39.137{5F3DCEF0-4EDA-623C-8705-000000004202}4196prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000085011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:42.889{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B1157ECC9EF42D5FEF5EF4A7EAD0FF,SHA256=95717103DD84E3CD70B2C3E45E9AE4AF9C65D2BF3A8CB17F83AF0789383A0218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.007{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:43.983{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F75933A8F6931FB870E720DD646800,SHA256=8DFCD82D800A09CF7A31E76591E76F69049F341D9F2A39D5554FB6A0F3668776,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:41.429{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:43.057{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E6E538AD9D7418AF1739B4D951543F,SHA256=46637F8728347A9788653D3295187B1E9E7A64E1CA5E6BAD7D639092630C7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:44.151{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5BC951E304D49D9365E9A7B4DE372,SHA256=CE235D47ABE3AEE504859CDFC97D2B025BE43E4AAF5D9AF3AE46E9E86AFBD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:44.927{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-159MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:41.750{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51630-false10.0.1.12-8000- 23542300x8000000000000000118682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:45.245{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0295B5CCB074F91645D12007E3B6A,SHA256=830588968352C004961CA471FA08EA2DDFF83FB16DB5EF13FAA37EB7F648ECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:45.929{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:45.100{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D332A3595967B6B2D99FC3B4D79BD390,SHA256=1956D4824FAB815F59403D30850D0F55088E68817D2452A668E3830F83A227AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:46.339{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543520702CC2060D68F0677FF29D383,SHA256=407C7E74B4BECD68AAA4A340931D06CC068106A50E99918B7CCA63D7604B1598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:46.192{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086005F657C5643D4F2BFC4F44D4CD47,SHA256=9AB5B7F393AFE7ED85D5CF60B8E5A1A3BE33CE4A6EB0A9A7862803D24A222026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:47.432{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE4196141D4FD9DA9742C6D621F8462,SHA256=46664B0D1E7F4700133D7AE2AED86E5D4BEA47C541980199B7082F2B6451D5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:47.288{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14455301D6C9A849EB790FFACE34E633,SHA256=AFCB9DAE79F0D7332F1F0B2EFD0D5D75580A12DFAAFA7CF543701F463251D55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:48.382{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB162957FB741AF8DAF5B1E176499E6C,SHA256=E9D57C4A76F9410CBDABBB804BCB987A6B16640B994AECB1B0D1C70C62D35C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:48.526{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94153EC1CBECF902500AAB16496D6C85,SHA256=8C5D5C92374772F09F2A438EE68FBC43D013CA01DE1267992A665E98E9486164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:46.977{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:49.476{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92FF09BF3CAADDCF97AB8D207F8F5A2,SHA256=EC787903DEFA977A1240667E689C17C89851400A2EB20B79A15F97954010AB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.620{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1093FC85A899F030CE50FA8AFDAC43D0,SHA256=940437A2ACE09BD386DF9453AD8F06E242E082154DE52F58B33407A3B2FA3B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.448{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+5cde|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:49.448{5F3DCEF0-286D-623C-0D00-000000004202}8844444C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+5cde|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:50.714{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9733CE9B39265AF2CAB3921BB36EABF5,SHA256=7E530816032DA1488DB99654599BF048E235974DF819118B4EDD366B3E0EDC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:50.570{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417FB7923B1FBFB3E74931DD35BA18FB,SHA256=BBCF7E1FD184FCDF84647FF6C6B2FF48310189DEBD3A24F3973C67CC344FB267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:47.775{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51631-false10.0.1.12-8000- 23542300x800000000000000085023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:51.663{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6CDDCD0602CE88ED67B249DF066569,SHA256=468C646D5FB7DFAD6A050921134D7170395370F071DB2ACF26990BFC65E20055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:51.807{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E73A00C956E63ACD9E1D65DD1B157A,SHA256=1CF4FF3567FFBCB48AB8E97F48E27EF1BF60AA478C207DCD784D17BEFBA55318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:52.901{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA81CE2216F1C8A688EB7D47EC8AF1F,SHA256=A4B6E602BD5C7BDAE268B4C7365E464596998790F1B256AEB46B7A81D310466F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.757{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA44CE77162DCE841CA56ECE3029D5C,SHA256=CD6B5A592AC6EC9443566A728929F327527381F5A6C705EF978CF05C9E5D7A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.241{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:52.242{9531C931-4EEC-623C-0B05-000000004302}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:53.995{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA0694573CF2EBBBEEB2350196F560C,SHA256=133795534750785A2E7C215F614806D39A70DC398B09E0539497B4C9D43C77F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.866{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E491E6CFA84543F4D9A22842E730C3F,SHA256=90BE7B8F088312916AC6AEDD04FC7736D896E7BFB4FE105B73A6FB539E06A8D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.429{9531C931-4EED-623C-0C05-000000004302}3802172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.288{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99C5BE0A5FBF831EF3C2A83E2DFF1A8A,SHA256=6A866E331A37225DE753EF76EF9284EACE58F05C345543ADB8629E049DFF96D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.116{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.117{9531C931-4EED-623C-0C05-000000004302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.992{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.960{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46AF0C15D6F18C42E9A59C4AF009543,SHA256=9466751B846516E643B2F1F7F74EE484D476D2BE4702CBA91539D437346CCE10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:51.976{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:55.089{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40E32C687F06BD6848FB734236B34A5,SHA256=9DDEB9E2AA931263918F47F56ADAC4F35DC2901C727AC15CC02CA186624BE363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:55.148{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F155E2A1B9E6731AFB94F572819CDDE5,SHA256=90AFCC4EFD8E7D67BFED2452C03D755BB2C15A71F52F668B90137B5F09AF435D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:54.991{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EEE-623C-0D05-000000004302}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:56.178{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A92254846D6BF318E86E985C8C644F,SHA256=ECDE1DD8765F3E39CABE9799FC118975EA81D59501A96611D6EF09D07DB7800E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:53.681{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51632-false10.0.1.12-8000- 10341000x800000000000000085083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.536{9531C931-4EF0-623C-0E05-000000004302}33481128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.161{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.162{9531C931-4EF0-623C-0E05-000000004302}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:56.052{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8BF1348182C8BDF5C43AADE5400FF1,SHA256=1BEE207D742E801657CF064CC0738956302EC5BE99B060BAF189D20DC808EAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.916{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-159MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.272{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CA69B8EA637DACBF68AA9F1CB10537,SHA256=2726ABD0837C75C482F164F8F0FC305628BF04ABD3DC7F2B47E384E511490C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.740{9531C931-4EF1-623C-1005-000000004302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.411{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD939D001EF6A0E75B117A17CAC7F4C5,SHA256=8D19A23A6E92DB746F79840FBE9FF78C416ED4858923C9F7F8297FB2436CD7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.240{9531C931-4EF1-623C-0F05-000000004302}692976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.036{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:57.037{9531C931-4EF1-623C-0F05-000000004302}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:58.929{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:58.350{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17C8A89159C0A392CD5B83B19A727FD,SHA256=4E27C3D7A8070AB8A702E3F4958E9098A220380160A7F7AC3AABA8ABF56D5AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.974{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D1E1218E1B291BF23B06ABCBCD7E95,SHA256=EC1A669F1C52F24A4BFA66C171C31CE0667755671FCFF0569619AF1D6C31952C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.380{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5633E8956FC888DBE01667FD235AC72C,SHA256=31750BB7CCEF5BD39B82428E3A245DF7EED673F8367AC5B582265AD3D1970694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.052{9531C931-4EF1-623C-1005-000000004302}38602468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:57.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:58:59.444{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23988ED9D8B46589DE3FC943CEB61177,SHA256=258534B0B8BB8804913AB6BA44CC7EBCD2F553703C90D046B8346558B7431AAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.536{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.537{9531C931-4EF3-623C-1105-000000004302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:59.474{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCC41A59CEF7C0ACFFF7D7A2CB8C767,SHA256=501F7B59DBEDCFC378076ABF7E1C09D7436FE0FD32FBC4984712FAC9027654CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:00.539{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98427A10EFC6B684F29E64C1E6816299,SHA256=A9C7AA2745F5161AA51166BBE98A8A3126D157F40015A3377FE203F23B86E9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:00.568{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAB929340ABBB3AD4B14587A74388E1,SHA256=34F24B81B32A1BC611218CA887E126321A9049A532DD78BD66133CE0781E44E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:58:58.725{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51633-false10.0.1.12-8000- 23542300x800000000000000085132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:01.552{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49820592A7945D8B6CCDEF9189FDD71B,SHA256=CAFF6CDDA15EBC5A1330F3E52ECFFD89997A4BF8E07AD5923A4382BE6E211FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:01.633{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20066DEF563362547194F6CE1A0621AD,SHA256=2B1E6DB018CBEF8D1BE696CB56F12734AECF3BBC7BB9C427349421D8969E2D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:02.646{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4149F1457F8D269F0BE866EE3969C428,SHA256=D026AE689C6903D3BFCBB1CB342BDD4651C0850C82D4C061B8AD6F473AFD0330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.728{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC60B8A7D445C53940254F2AFE450A64,SHA256=8B50F42E25F29A9E4109CE0356051DAAA41C9B29AFA3ABEBCFFE1FD3D5BBADC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.524{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.525{5F3DCEF0-4EF6-623C-9205-000000004202}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:03.739{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A3A3153D678BE9CB2EE290788E25D2,SHA256=3679E0A7571D1F0996445DC3898D00AB27AF9A32BA24B6C2D5702E44831AF8C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.977{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.978{5F3DCEF0-4EF7-623C-9305-000000004202}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.820{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978392CACC4779B8B849ED2F7131B8B1,SHA256=11325371908925E8A41684E785B58F6DC5D99AB3DF09682200031B7ED739B25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:03.633{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4639A166EA70B0F89F783CE3C87E3A6,SHA256=D639AC4E81DA51AC9342ED7CFD83FD10E5D4EE0A29A20268AA0ABA1870EC30EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:04.833{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933FBBBACA80DE5EB1C7C2C010D6B34,SHA256=249A8DEDB07C4381D9FBB030C5AD9C6ACD9680185EC4EF1AF033D62DD9161DB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:02.848{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.914{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77B3206F6AE3DD53E35E3E0E419CF34,SHA256=9D1659D7FB14CAE1ECB696150F807B8E85B9AEFC00825255A8E23FB625F6B781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.649{5F3DCEF0-4EF8-623C-9405-000000004202}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:04.180{5F3DCEF0-4EF7-623C-9305-000000004202}11684484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:05.927{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF01157FC5D37FD886D6D0833836C80,SHA256=5E8C1F05B858874E769B0123DA5708E7049ED4CD6DC85DD654A78AE73C37EED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.289{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B37687404B0017552CDFC0428EAEF86B,SHA256=2CBEC27D10C7B08234C083DCE16F3E6A95DE76B6242286961534F2D2E2B72391,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:04.695{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51634-false10.0.1.12-8000- 23542300x8000000000000000118736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:06.008{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2697DBA1497B0CA731C864BB5CA03F43,SHA256=9A8E95129F8C481BB612FD5F272AFE8CD1F867B92D49B74A5E906DE781B0F8A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.633{5F3DCEF0-4EFB-623C-9505-000000004202}59483548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.414{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.415{5F3DCEF0-4EFB-623C-9505-000000004202}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:07.102{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DD7EF0BE9B96BA4D3E7E9EF9BF872B,SHA256=074328DD8CE4BF107D582C3FAC566F25A4F979EC917C6F77CE7BFAF093CA2133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:07.021{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983B1DEA8679EE60D8E06957CE3B57D,SHA256=58DC4DF252AAEB8D2F41FC1DDFA6F307C6690D0AC1D1F82B72554DAE9050E4D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.805{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.806{5F3DCEF0-4EFC-623C-9705-000000004202}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.524{5F3DCEF0-4EFC-623C-9605-000000004202}34605764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.305{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.306{5F3DCEF0-4EFC-623C-9605-000000004202}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.195{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE1E1F1364C0032285F042F8E5A6398,SHA256=A5E8C96E10E9A172CE637126421965C5A71B99AF4A1AFE4FACBD082FD34BFF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:08.006{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78955F7DF14CE25A3199AAB0166DBD87,SHA256=DCFD0F493D73B4BD275718AE64A846B66A0E9571AAD2B058D7390666DC0E5B4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.802{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63257-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:05.802{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63257-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.867{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E05ADBD132AA9C56612EE7D1DAF9EBE,SHA256=585A48DDB929902BECD68F3FEC2FC6213B6C06DF3197E9F5AB87D42732DE14D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.649{5F3DCEF0-4EFD-623C-9805-000000004202}67246240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286C-623C-0C00-000000004202}8246244C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.477{5F3DCEF0-4EFD-623C-9805-000000004202}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:09.289{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E130B9906C34AA12009D3A3C61D3F24,SHA256=398A04C6B27034E9AC1F023BFE953D9D4703C0276B0A21C00F92422614B743C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:09.099{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E0E0F3DEEEC837A0967CF34D9BD64F,SHA256=63428015A56E82CAED404A2C189121EDC3F6F42FBD64EC1BE5BA7F56E70D9737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:10.383{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE04146B74A2C779CB5F922565B2E54D,SHA256=AF0A2F1A6B9D6242FB97F827440FCF7AE8ED60BB614B43DEE44777C5B4E69583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:10.208{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75395ECCAA21CE6B6A191C4F48E51917,SHA256=F289392BCA45F17AC9EB9B67AD5FF7CB74ED80C22701682F82B6B6DD5BCB2518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:11.477{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C0E96674C57DE538A4E04D849B6A7E,SHA256=5E214E45009CB7947749CFF32159CE3802C4370ED2467ACC43DDA51FB4A8FF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:11.302{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB23C2BE74538F32CE573E5367560CAD,SHA256=B51ACDD202FB5C04FEE71209E6E77058489A9B19FD242C61CE30BEFC46D628F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:08.005{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:12.570{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E96D5DE81A3349FC749C823C7470F,SHA256=DC2D6035C7B39039435CBAB26A54AD2376204C183199C30BC708DEC7989F1D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:12.396{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8B92D65ECDFBACD24DE9781304429E,SHA256=2F1F83609F7F5CC14F969B0B7584FFC44AE43FC32497705A9D8E8AE5A2F6D23A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:09.726{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51635-false10.0.1.12-8000- 23542300x8000000000000000118782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:13.664{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DDC0D52D74D1EF0D4F6FA0C210EBD4,SHA256=4528E21EEE88BD0E76756C7F7FAB0AEB70B0AB1AEF744157DEDF7FE6FC6F0D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:13.489{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC548EAC96B77503AC91BCD674EB615,SHA256=5129F78EF845EB48FA8EE6F5874EE79D4ED5F19487AC0A884A5719D7CE73E3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:14.758{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6461D740DD452D08BBF8C26B2AF119F6,SHA256=0C37733A5D629734FA70C678B677403F8782DD9C8A9E8EB96597CC15B094F155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:14.583{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AB9BB0E8295831A96255E2CB293728,SHA256=B50271DD1DD715A5CDC6AF85FEECDD5BA954639A556EE6BF14E637F8EB519BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:15.852{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00ABBFF571C2D8A6C3EA5045D445A2B,SHA256=9A810D7544E298881107F823E2DDC17E29C32472B4E9D47A54A2D288C412D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:15.677{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC5C16577813EAF7737A39859270CA,SHA256=5D12677D1AC7D0455FD8C9F88E906FE5A1E64E0EC7DB7FDD8E7DFEA9B9FC7352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:16.944{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8E94D6EFD3B1D626AE2B10C70210D3,SHA256=43847E0E1F1F7D3A4B90EC2C0BD68E717D9273286F0FCB2AF262D6BA71494F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:16.772{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9BBB745F4B081E572DEEAC3304A0A0,SHA256=979BA524A2A7D8D50696EF809D0D180F6A6BD77972E0F7D94D2F426520D48613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:13.958{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:17.865{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C994ED289FC4C0C9E4C3EDDB78C8AD69,SHA256=9D8EC93395B6410C4B70A4C7ED836EB071ABFE68475D4373081537FCFBA76E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:14.772{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51636-false10.0.1.12-8000- 23542300x800000000000000085151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:18.959{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41ABC41CAB7210EDBBD749EFACD924A,SHA256=34A98C59D70323062D982EA6EB5303349FAB55CDADF91E2CD4A8367EC74FE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:18.038{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4E77CA9EA7FCF2D6D0BAD7627D45B8,SHA256=739E888D4BCAFDDABD08FBBC4D9EE79036F70E77E92AB19922697F36407AF283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:19.132{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01183502B544E8B915C08F87887DC94F,SHA256=A367E8572318D2DAF4C2D7997E1B8A5947F5CBF2EEAC2B386B2B44B7200951F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:20.226{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A77B2A00A82184BE4E6790C84257FB7,SHA256=92DABB9F45C147CF63C233F57C07BBB7CBF3E914788AB925ACFBFA9573ABE6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:20.053{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A89FCB8564F5422310C1BC4C652116,SHA256=E4A2D73347CEAA19412E732CF5005312F1AE30115934CE4EF3DF9F49CE50FDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:21.320{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11960121CA18DC743D940F926913170B,SHA256=72EA4ECE26C59B674A82703E50CEA3E8BCA6D1224BAFA2C207554CE22782EE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:21.147{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A669321E93B13545A3BFF2D7B74BB9E,SHA256=3637C7CA9F89CD0B2F31B5ADC557CE0FB1AE81C67AA159065BDA097710010E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:22.413{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A30345001D6327472EDAAB38D8077D,SHA256=3B30CCCFEA45E82FE74D94CCB813E3C686139CEA74B2DF42A8608E6486B2B883,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:19.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:22.240{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34BB474FC9322935335F4BD48F3BFB5,SHA256=3C4E387752F4B041FAC25212BCE023E90BC36E20653EFFE33D70CB15C6FABEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:23.398{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8399DAC0EE849FF49C33047B3877C0,SHA256=0044A04FC39DB3BACFD3D08627A5F92EDC8CB9938FF3DABF7853B694BA95E42D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:20.711{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51637-false10.0.1.12-8000- 23542300x800000000000000085155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:23.334{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23E06781895E6E5A567F61B26B0138C,SHA256=02F7E21C92FF75C723953A79D79DD79BF2584F11E4F80AC57E029E2516A23197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:24.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF3EFE5DDF7953016CE2921A39F36BF,SHA256=91129797E98DC21DDC245CF48B06365F27928286059D1C9750506269DDC13E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:24.428{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7840747308856CF0FA01B517F67A93,SHA256=1E4427D5857DB8079B21D67946EDC4AC7F667EA260BF10FFFF6B08D9FA62AD7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:25.585{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF2214F69DEBFA1C1635D364F927BAC,SHA256=3FD4FBBE112879EB279BC8737BD97E1DD3D2FB966E43711555B088A3902CEC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:25.522{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0392312DC01E340C44ECB43924B54A47,SHA256=A374AA10B2FA21BB4B7318A85C7190DA729C1049BB60E2835D74F991B168A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:25.287{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BE14064979E0542E459911A4EA4797D5,SHA256=C17808D099F9B3D568F5B17E1F906C071486B76EED9F14A7F4064B862A61280F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:26.679{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE105CEB8F5C9CBE7BA64B84450EF509,SHA256=8828185DD3CE7629F4053020F80F889AEA16D3C4BEFF53DA396C091F3D97F598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:26.615{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A230A0C3CA9BA762DC5825E3EF4C0BB,SHA256=5EE3AF773137924DEFD8D58343DDCF2BB2EE40A96C020B6932EFD0494D454FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:27.709{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0DD5CF4D603411714B79860C51092,SHA256=DB8085A3A575CAAE0F99B8BB388FC2EAE1367A5CA0972C108D0515005869882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:27.773{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C80E834DFDA07C92E674A851389E67,SHA256=3C50F97CF5445245DA45913E3A2F5B9407847B7E35E172E0C2BD1589EB848398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:28.866{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55763AFAC9B86C01C98303006B37179,SHA256=DDCDF13CCACA702193F2A82D0F19E0A03DAF557EC109162F0AB2FDE539493FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:28.803{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E1FF46153EED543FEB3D99C46D464E,SHA256=467ED2C92372FBD2BF067443ADD77A5DE5715E348C4D110EA3D59D6F69271BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:25.831{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:29.960{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F46BF1C8F1E8C9DBC68FC498E9EAE19,SHA256=A88A3B5EADC5468B474463164D6D16B719BBFCAEA8F542997F731EE46AF147D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:29.897{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23192AE0B63B54F0BDA9EA40EDF96573,SHA256=28E3C0B746BBF03708FEF215BFEB42925BB67B0989D0D929177FCEC4F1E4C113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:26.680{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51638-false10.0.1.12-8000- 23542300x800000000000000085165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:30.990{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E9DCF0F84B5048B2864EF4403622CE,SHA256=2CE911F735B1BF28846D642E18C3D70085A2A40E46C7350C7F2CCDFF20B982AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:31.054{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDFE9070299683DD3F991FA6C721C8B,SHA256=A1CC7E6493CAF260CDA03E2CAADC5ED496F7967B8BFDDBCC58CFCC591BBEE2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:31.444{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:32.148{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15B4E2A5EC7E727D75640604274908,SHA256=677E70DAB625527E342E1AD1D0EEA55D5B158EB36288AA0CBE38BC8C019FAD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:32.084{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B4F473C1C9146AA9C514D59AC9D78B,SHA256=1C66D5A9CB6062881E6975ACE66D84282E38031EFDD41B027D1BD9E56D970A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:33.241{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4840A9F42024F07C638A3AD1ADE61D,SHA256=F217D1AEC019C752E9B68E5D6C493E9AC921F78C77780292AEC2B99B96591A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:30.977{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51639-false10.0.1.12-8089- 23542300x800000000000000085168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:33.178{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4823E41AFCF832B2DA6ADF1167B5195D,SHA256=EC4B8F212CCCA9388336B434E23C5F90A4CA7C50E95F657EF2E2785FE80AFE1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:31.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:34.335{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB976304C984297D4C0CBACB4DDAD7,SHA256=A1D1AD3E8C9CC942EA431C5395E833E5ED962BEA3F3C2919A5C3C46656F476CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:32.617{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51640-false10.0.1.12-8000- 23542300x800000000000000085170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:34.381{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B433AD9B63FA38E32034E9C3EB21D23,SHA256=CB1956E21209915B405B8ACD4908529E66653BD767798CC60ADDEE45049FA158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:35.554{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B795479000F6476DDCEA5431DF760531,SHA256=7CD129B98D8847A839BC37965D5787D251D4CCD5279AD848C864AFF224CCD6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:35.429{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26FB93F4769D74F691CDE14D462BB,SHA256=6155C9FB48EBCD58CB6814B925836052D65A60D6110300B8B4E9651B517A5F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:35.475{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25C26D99EB37233306B3CFBCDD2FD34,SHA256=C0C723CFA30ED4A7AA0D5CEB84E6D00BB007A2BBBD7C657310D38DB4A5BFFF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:36.519{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62051D51C5AF1E103FEF98C215F3A222,SHA256=E4DDD490382E62D86DBCF9BFA39F6127004BEB449D8F8A3695A2B47DB4D1088F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:36.565{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E6AA8488F330CDC67182A59079A246,SHA256=0373D97A2AB2F3E45DFA34DF0544061C506F2D3B7A35B336E06E686BEF526220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:37.613{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E4E5D0EC2C3209D7DDF4BA50C534D2,SHA256=1F62D58F517B55E751CAE4A14529B20CC2441960C9C29217DB2C54F1525D5036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:37.659{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1C27F6C961679E21A1FE2C09F11FF7,SHA256=AB2EAE67EEEF20F30EDF74F5339EBBB60769BF13E009CD35037702DFE16132D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:38.707{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0DD824094C240FCEF283233B8E256,SHA256=A77CE200511EA44B31ED2AA8FFD6DBDA05664E2F5F7C5946D803C9922BCA533F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:38.753{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5BA7B29CCE855A884414D877C155A6,SHA256=91E4CD4E88BEDA76E0F2BA1FF53F29F66F29C3464F4E84D8F9769E9A600022EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:39.971{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9A031512B6C6FF3A344E6CF20F1B75E6,SHA256=7F6E00A8462741C8F836CE6646D960637A5D30B275760688B855BF555DD78D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:39.846{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F5337D64787E6868E6E96097BDCDBA,SHA256=BBD1D14F67BD6F087F4967EB2FB6982CA706B14ED7FE3E36AE363ACBAE14EEF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:36.922{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:39.801{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DB01F60F6A9A4CDC9C9CD6A7BAB16B,SHA256=123C5277112884108F0F415565460E5310557B82C116A4D3D66ECFA353D5CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:39.144{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BB38F00C5C1693E7908C2219FBAFD2D2,SHA256=E3BBE04B9E498E1D178CBA2343469E9DC86267D5A14BD8EE9D3ED37F0E3723F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:40.940{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6137430ABF8666594C6F2F9CB709C96E,SHA256=F83BC9CFE7B73570B5774F6781A97FFB9D0D0F842F147622A61A64A2B27FA308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:40.894{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4230A69E62FA8EFEEBE4DA27936DB9E8,SHA256=1552E18E2244CB07538EF28A2EB317F4F0433B9BD0C60668B20F0262B10D4E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:37.661{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51641-false10.0.1.12-8000- 23542300x8000000000000000118816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.988{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7DE98C0F3245EB01C2478E77FA5F7E,SHA256=D43F54615C94F1CBEB2CA538CFE2D39E4F2D47442126D922EC5D990E684EBEF3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000085180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-SetValue2022-03-24 10:59:41.003{9531C931-286E-623C-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x42f98917) 23542300x8000000000000000118815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.707{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:42.035{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDC92FE729FE14679A79BCB1F0C1EC3,SHA256=4113049E173B3B23F8A9CEF5A1EB6179BA754CD802C8FBC68FA4D54A61A10A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:41.453{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:43.082{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADABA7B0528E357DFF615E34CDD839A,SHA256=787C5528DAC0D67232D97A60B07F12BEF1D765716AC7F706426DA5CCEED6A24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:43.129{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD43DFA76E791D8AC1F520E39056D9D,SHA256=98BAFD0CDFEA1C99EFC8D5EF778E8BE4EE73D6BFCF9EEA7122736D90D33F903D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:40.535{9531C931-286E-623C-1500-000000004302}1040C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000118819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:44.176{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2997AA4771240FE9DE9CF381D823DD7,SHA256=49D7C33E02402F99384924C29DA3044715011694B5BB4B316B1C51AFD1EA5211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:44.113{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4687CDCA702E69BCEBF93028DE4D48BD,SHA256=7A9BB545B0F95CB9E901F35621B75DF940B0AFCA48D28FA30DB0986D18FC06E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:45.269{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9669B60FEF55CE1BDFFA62206FB56A4E,SHA256=63C670D1466C281D95D79CFA7804D8C07AC0807B2E5A0253E550474CF131C5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:45.207{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8076F5CDD364587714E7CC3330C14,SHA256=7392DBA2DC34661D09EE00BE14443CF3C517C9F877E44DCBA38BC6A462FE15DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:42.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:46.363{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB8BC97454A68805F73FE9272E56959,SHA256=C676BE333751DA525AF1B592FDB97A955F0FB57171F9CF35A74D4CAD975BC939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:46.461{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-160MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:46.301{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D484DD746FED5CD810EC2FDAED102E5E,SHA256=03903ACAF924E06BE29A527A6BE4EE33305F0ECD695A46044D68037D1F512926,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:43.584{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51642-false10.0.1.12-8000- 23542300x8000000000000000118823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:47.457{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B918693A2F6331C45D7C7AB4E8879CBF,SHA256=2D68D6C5ADA4FBD640450C24F2855C9C21BCCCB4531A360D1D4B7FFCD78EC252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:47.460{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:47.397{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6170F9A17A6BCECDD6BF1BFA67BF405,SHA256=C125545929790DEFAFD37231CF74EE0EF7FE296B461549F9080BDC5D4E35040E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:48.551{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776BCC3C0898890BBCF2C707B13E171,SHA256=0DE983436C5D95AC5DD27566112BD3B112CD1187798F7D0CDC4EF55AECBACC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:48.511{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11443C49C0D8E4AB8F80AF8053DE5143,SHA256=2CBFCAE0568C16DD133E6F169556E4D8112B05D00EA8A562CD4B142423C23887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:49.644{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12193D3333264A32600D6AA0F00996EF,SHA256=47C76F172A21B25A89C2CEA5C4D4EB4CF453E70DFCE48222A8CD241F130761AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:49.590{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF34277A8961A373270B885A12ACB9A3,SHA256=B2B1CBF781142E4DC32C502BE2FD70D6E75F3B25FB66EB6A39C21984B847B533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:50.738{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ACEB0DAEA3535358F84FB3AE5462A7,SHA256=FA2E820629521D8B9772D0BE32C2A57A8327923DF69C1F6AA069FC2909DB16CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:50.793{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E813437EBF2B14B66605D8243B99F56,SHA256=FA431B3C506CDCD2890F2D242C1D52E7E6014D9CE8495C40873BE3A9223FCD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:51.886{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313E244A3F1888008AAB977D165B0C25,SHA256=588141267C3399D12D0D2B440FC7DC3F85122F190CA0F04C14ADFAFAE37129CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:51.832{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55DDA50163CF67BAA8C0D3C5DFC4D9B,SHA256=0C2B3D2D3A1EDB604C1828AC946921CBB1C8F51F0ABC2D2D6354C89615E00CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:48.984{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:48.654{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51643-false10.0.1.12-8000- 23542300x8000000000000000118829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:52.926{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D738AB3652938A6D32B82BA89C748,SHA256=EA2A60DDE904E7AB4B263DD249A0431F8B269335F805F6D22381D1DECFEB842F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.730{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.731{9531C931-4F28-623C-1305-000000004302}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.574{9531C931-4F28-623C-1205-000000004302}39083764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.230{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:52.231{9531C931-4F28-623C-1205-000000004302}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.386{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB985E787ABDB6DEF56E6D072F2D3C76,SHA256=33D7124932ACF684A2C3A099ED4806DC2A43B7A5D5DA2D2CD78349B965CB7752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.371{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C31AFB6C78D63B42E7756875AFD8B3,SHA256=1DF7B3AEC8F216D7E3797DFE5908C5920009440F657F735388BFFE326FA7A7F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.449{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E293F88F55821C80BD335459A35A78E,SHA256=79CA6E534DA034EF40E30B1690B65F284D5509C92B37F768411F94C5B7FAE5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:54.019{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC026205BE48ED4E3A93F7BE9FB6D447,SHA256=4C0CFB73DAC9A55ECFAFAEE6D899DE09ED7AAE51D7B0E7BF41343EACBA7B48C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:55.543{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09955F88F2DA59F8F332FB7AFAB727,SHA256=DD116EE2FF8BA9D241977F9F3CBB513ED55261D72FC4F5FEA75E34269581565E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:55.449{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9B55F76BA970EB951E82826112DD7DAB,SHA256=D22FEC0E4D022197A73A522AD5CE1FFC6F230B4608A92575DC9A0E9FCEE7C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:55.114{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9372AAE78E786985106B8222F8DBB6,SHA256=41D002041705DB076E85C187EF7F8E7F6EB317D9376B66D54634C91377B1823A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.996{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:54.997{9531C931-4F2A-623C-1405-000000004302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.820{9531C931-4F2C-623C-1605-000000004302}37922868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.539{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.540{9531C931-4F2C-623C-1605-000000004302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.523{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBBCD66E26B0C126DABBB6D5D00FA70,SHA256=A92B8B5129D367CA6424B4220E10F8721A14A086228844C664814ABFCFB50F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:56.211{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEEB7DC4B9660383A5C5EC7B895B2B3,SHA256=522D219FED2221B4309AD857A6F3CE0CD484245770DFE49F9B72888326AA2075,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:53.732{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51644-false10.0.1.12-8000- 10341000x800000000000000085254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.242{9531C931-4F2C-623C-1505-000000004302}29483876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.043{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:56.044{9531C931-4F2C-623C-1505-000000004302}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.648{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC247632E174B01408E0484BDE79BB9,SHA256=2D59D368B2EF09F18BEC5C62953EEBBF38061182FD907B6E54FC023E04DEF476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:54.892{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:57.305{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2A9264EA7D64E0954ED3E540CA9D35,SHA256=0F798A19C99BE763D18D953D0C159BFE8B84E80E00373739522B9281FBDE24B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.210{9531C931-4F2D-623C-1705-000000004302}15281180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.039{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:57.040{9531C931-4F2D-623C-1705-000000004302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:58.710{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B4FA242E49C5509235049667470FB8,SHA256=800D14FF7A1E26BC150964C717D359105205B45DD00B116033B251623FBE3033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:58.398{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5C0DA264FB81ED477DBA58C3A6C295,SHA256=D88C62663BEC7606D5225FF7744563BA84C4A39ABE7E69F69386F343C6612651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.804{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E09F595596B691269C06ED45DFD0B5C,SHA256=553BCE9CB5D6F9C12D6DCA63F977B07618922B9E1F3F11138B540658A989FF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:59.492{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410ABFEB5483DDF8465962D13E3248ED,SHA256=36BB679B7573CF09D996C8F938F1C4CD058E437A7F8B54C0EDE2C06212B90AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 10:59:59.463{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-160MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.523{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:59.524{9531C931-4F2F-623C-1805-000000004302}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:00.914{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7F97B27E524C7955FEA49EFD3B52E,SHA256=946653775966FE55A68DED21A4417E04A3911DADAE128038700F91A678D7B5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.584{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9745E68E3934DF0AD528BEC13016C1E,SHA256=4B008D4407982A2F9D803FE7530CB28ABBF890BF51C7988D040BE74B890417FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.477{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:00.617{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAADC6CF75B8546C00D38F5EB649D758,SHA256=E6ED7D96743F3025F2C2A6A6E367EEA058EFDF0291399D0FB74ADD4073DE30CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 10:59:58.806{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51645-false10.0.1.12-8000- 23542300x8000000000000000118840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:01.572{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5281E7BF066E6EF86115856BB58F32BA,SHA256=1CC2D7B5BAEC7F4C6D95226D6A1A5D39E1A7C05714E28BCD4054B2E9A83497E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:00.880{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.666{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1EBEF77CDDA840175A0950175D8135,SHA256=7D71FD9192067DD87EDFD7EF6E56F9420E6AB7C1116842824691AF16564F0342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:02.023{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7764748317EBA3AF1D9213CA30C2C22F,SHA256=F9E91B31DB049ECE8AAADFED36EBE1D18CF8F866B4EC9AA1D5D17A28008513A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:02.541{5F3DCEF0-4F32-623C-9905-000000004202}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.853{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.854{5F3DCEF0-4F33-623C-9A05-000000004202}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.759{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481117965ED6FEA482DB57B6EC74B23,SHA256=4BBD9A91F18D55BB913EA55CF843FAE402547FDE8EC41A53EA354BCF6762A11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:03.697{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E631A5DB4D413D6BED84E085CFC8A7CB,SHA256=6C9FBAC7E95D7F7F65CA9FE8DC112CE1F26DDD7A3CE9CC787F57C1414C58338E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:03.117{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECACC2C17490DA363EF55F7F6ABD083,SHA256=46A8609F5B61736DB3C3C24BAC662CED31451D992332EC0613B2F2704A91EA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.744{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE91B0B20A7977C3CBC9FFB371E7C0D5,SHA256=09AFD4B01B466BACFE3DDB040E6E79CC8CA09FAE5E94BBFB9926910BC0DBB492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:04.211{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5050477AB4BF2DDC675464E96A722AC6,SHA256=4BEC2CD30D03C262BAFDB9F5C2F5C321CF946C06571E41EC0DF43A2A72CED352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.353{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.354{5F3DCEF0-4F34-623C-9B05-000000004202}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:04.087{5F3DCEF0-4F33-623C-9A05-000000004202}26964184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.837{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C840A3E16FDF0E75E104EFCFFF7B508,SHA256=500E3F332A2464F5F16ABC9C86C05F768CF3AD5DA36DA3AB11157548B77037F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.775{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C3471AB5479F2A202FBE699FC4C15FFF,SHA256=B6805AECEDC3AA91E975D93DB788462D90DF74BCE7D023229DAC500F072ECDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:05.304{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EE62BBFA1164D36712A9E13A893852,SHA256=83CA6EFB79102E7D9133BDF390956BB3FD8BFE2244EFD5928B83ABD2322AA765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:06.822{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C77AF7C03B2C9C1914D8AF546EB324,SHA256=993FEBF496B3E20A2D5DC5A0E3700F04F32A9398EF7F84CE07FFD6A3B5B18DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:04.708{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51646-false10.0.1.12-8000- 23542300x800000000000000085308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:06.398{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C515822B19540F7CDA7DD2613D5D648,SHA256=452FD9FE279F2CE77402817AAF6DAB41A86CCFBA1B01020DC146065A77689A58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.818{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63269-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:05.818{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63269-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.915{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCB37E4D7B8D7317346BD40E57F29CB,SHA256=009CAB3A9083B875DB8EEC73F92857F783F92ADF0E6794B2B4551BC696C8093E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:07.492{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813A3EC633B5A875DFB685D4D0DDAE5B,SHA256=C3604AF13BA7F5821F9E906DDC84614BA0B78419E5116E61064F2893D36562DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.540{5F3DCEF0-4F37-623C-9C05-000000004202}46564172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:07.307{5F3DCEF0-4F37-623C-9C05-000000004202}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.978{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.979{5F3DCEF0-4F38-623C-9E05-000000004202}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:08.586{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC2BC8B7A8F2F068F0F648DF480C8B8,SHA256=3295649F590C21894DB0B6059FAF1C05172DC7C232B4AECA5E54D33BE2D53F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.478{5F3DCEF0-4F38-623C-9D05-000000004202}66686428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-286A-623C-0500-000000004202}404520C:\Windows\system32\csrss.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:08.307{5F3DCEF0-4F38-623C-9D05-000000004202}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:09.679{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E7E8FFDC366D2A2F011C4C9406C1AD,SHA256=0994C86438F313E686870CACCB49F6F74E90885E095591956B4C9A2C523C60BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.790{5F3DCEF0-4F39-623C-9F05-000000004202}43202036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.603{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.604{5F3DCEF0-4F39-623C-9F05-000000004202}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.228{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3400-000000004202}2020C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:06.818{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:09.009{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA1D10D5368257D57887C4C6F6B27B,SHA256=716F14DD555F2460FFC7AE6FF11C1443FCA269A54C3D94FBD58D824571629DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:10.773{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7996BEFCA5347337237428916A9C857A,SHA256=13426560594759222B1AEECF080B180C2FE3E1AC772D161FAF2F7551634A6734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.619{5F3DCEF0-28A1-623C-9400-000000004202}50246296C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.556{5F3DCEF0-28A1-623C-9400-000000004202}50244164C:\Windows\Explorer.EXE{5F3DCEF0-4E9D-623C-7605-000000004202}7004C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-289E-623C-8500-000000004202}29804132C:\Windows\system32\csrss.exe{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.494{5F3DCEF0-28A1-623C-9400-000000004202}50246948C:\Windows\Explorer.EXE{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+d9c67|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+15890c|C:\Windows\System32\SHELL32.dll+1982a8|C:\Windows\System32\SHELL32.dll+284613|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+158c54|C:\Windows\System32\SHELL32.dll+15602e|C:\Windows\System32\SHELL32.dll+cd0c1|C:\Windows\System32\SHELL32.dll+cffa6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000118920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.497{5F3DCEF0-4F3A-623C-A005-000000004202}4560C:\Program Files\Notepad++\notepad++.exe8.33Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\doublezero.exe"C:\Windows\system32\ATTACKRANGE\Administrator{5F3DCEF0-28A0-623C-DB99-080000000000}0x899db2HighMD5=4F97FC820667DEBD2A076D99E4656179,SHA256=7CBA6F6EDC53CAFAC8D74451EE4EFCFF1CA0D8EAF5BF111B9717B3A14BC5791F,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.119{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3F111D6CEFD54EFCDA1C30D25E7C2B,SHA256=2B9803B5ECFB5358A2786C8CFE3AA81502188A264FFF6471E0FE4719A5CF3B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:10.040{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C7625CA924DBFE163D916F5ECEE857,SHA256=55D25C3E4877E650CD8B0FBBA97819B026F5E026CCF4BD2B967A45CE25A34F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:11.867{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96086CEB7D8504A7B8801A6B3737DFCE,SHA256=A72F954DB2724017D492264A3B800A5AD88C6D06650DB6B6F9B4960C55E5B1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:11.103{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6812F44B858AA742FFE66B7F2C417F14,SHA256=251539C9ACC1F0299E72234490AF1B79255999985429EF2B1490104B9073E32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:12.961{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACF3946DB1AAAEBBA482CCDF10677AF,SHA256=E79EC4DA67E586ADBCC941627C383FAFDDA55C33DAA2140B81AC9149F111A9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:12.197{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74363A2414512687AFC15523AAABEF31,SHA256=6BB2E7247652D2AD9D7FB05E7BF0E15189BDE0DAB84F2B4F846819B0EC8E9EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:09.728{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51647-false10.0.1.12-8000- 23542300x8000000000000000118936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:13.290{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DA4B588518C099A8FB106444892AB4,SHA256=47C1F32E32129E1C0637084DCE9E1207EBE336A7026549D8F706944D820AE201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:14.384{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD18AA4174C4863C27F9F27184E3CBB,SHA256=FCB499CD7FA6E1152CF6323A2C2791EC26C477705B15536AB664298A59F7FBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:14.054{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0226A3E125812EB7812F9A7ECCB8B2AA,SHA256=0D925D0A81B9E497A842DFAB02F22C429FE58102617A9F5191203EFF7B1DF2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:15.478{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965BAFE0CC661EB17CAAEC4BF08C585C,SHA256=ADD45BB94818621D560EE7AD8AF72F83C669059C908DE90F941E7D415113C588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:15.148{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534A3B53048BAAA4BC05CD3541D74026,SHA256=38FE9F1FDA684CA13AD06C95C39B27C1D611022D7FE3512100940E2E9D02C680,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:12.833{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:16.575{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12541C65B8EC34688A124FA75D449DDD,SHA256=E36DEC338F7A79BC9754D80D072F45E6AB5094A9C91BB378FB0C82DB817DB6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:16.246{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D259BDEB8CD79549B1420FD49831E113,SHA256=686E5130E4B2C31CCA9BABB36C923C47B8B0B289DE7E816E191BD22D40C04692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.669{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58660947C0499166E29DC5B05D4446D5,SHA256=0EDD4EAA33756D4E9D5AD23516115368B224AE9456D652AA56CC32B2510944A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:17.340{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4718F7CB8F03D2D87BB66F16D533D,SHA256=608F68849737E052316BEF6118F4E18C5ACC4BE92327D785910150BBCD0C6EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:18.762{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48219F8133DDDF3F708FCB2638543F82,SHA256=7F211143FF96C13E3B5503CCF79EA825FE84870EB9BD157831046D9D736F9361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:18.434{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648099BED8C497C8C8F5936CD8439FBC,SHA256=CE675EAAF7646B5CE6D19A8CA79E9297E85807BA8952F2CAAC60876940B10888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:18.184{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:15.701{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51648-false10.0.1.12-8000- 23542300x8000000000000000118944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:19.856{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6236E78D088E7E353C9B712E9E954A6,SHA256=DA6103AC7F8B87C8960734BE447DE95729975DE7035EA44B15578D1D33A19E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:19.527{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C589BEF84F9685CBF270F6F791262656,SHA256=9F778FC0256B13FFE3571CDE95AA56682BEFDBB9E97261B03F02797491797307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:20.950{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055F38EAC03B96ADAB60E3A4815C861C,SHA256=BC0DD897CC3312A9A7D844042FB0BC18B913DA3E9CF25221668309B1FFE15958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:20.621{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BAE6804C54D61090F88CFCA8EA947E,SHA256=EC55E6C3094FA9629B7459876FAAED1EC97E08C1226CBF92943FCDA7A95EF885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.948{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63273-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000118946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.948{5F3DCEF0-284E-623C-0100-000000004202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63273-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local445microsoft-ds 354300x8000000000000000118945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:17.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:21.715{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B51464C561C3DDC01327233775072E,SHA256=D06E98B31593DC59CC9F9445E82A1C19735EF7765B7A89E7D415CB53F5070ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:22.809{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EA163C7D810626366AA369C4EB2443,SHA256=20F6DA93B39FDF330A755E39DE6B1FDB661A9A453D53078AD9C11D56690145C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.981{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.981{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.059{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC8AAB106EBBB2BF1662B67F9D8C52E,SHA256=6D5B5D8B9DE9B4404A6084A0391B25643D2734FD2D0129B67BFBE50828C54316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:23.902{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B734C2030A2785411B1ABD5D266A8,SHA256=6E44249E51F6FEB1597CBF439168DF323521F143A6BE3AA62A582A500F110238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.153{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9D5B977D6FC1E10FE1A498E2376633,SHA256=02E6A0429AE584F5BC6DEC9F370D446646014E7BBB1A876E670BDF5B380ECC65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:21.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51649-false10.0.1.12-8000- 10341000x8000000000000000118953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.091{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-284E-623C-0100-000000004202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000118952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.091{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:24.996{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26974DEAAC775A0F85E303AC59548F00,SHA256=B29E0B6912991FC5A9EF8F8BF06E90B82B308CE22291385C65F994EB05498305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:24.247{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A3831DCF807600C938A2E3D50704C3,SHA256=B2AF11046ADA1B737D21526E27821C874AA1B062220CA7D66C36DD93F9C89444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.757{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63275-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.757{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63275-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.746{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63274-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000118956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:22.746{5F3DCEF0-286D-623C-1600-000000004202}1260C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63274-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000118955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:24.075{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D322C353F6AE8690F9836E23BD573DC,SHA256=994BBAF54E4314E5F9F8D10AB92EE0037D21F2387EF539CCB132D2CF19738DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.341{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DFB0F3A817F6A7E44102841815C17D,SHA256=304E47ADDB90D638B3B6FEF0D4303F5FB383800C4071B6D9AFDB167703987541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:25.918{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A35C152F4D3700F76942157F69E8C81,SHA256=619255748835953CF39A9E6C704067D7156AC26624A71D6D93DD3CB5898D6798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.434{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AF2A298B6F012FA5ACFA53C3F0A017,SHA256=BC81856175493955FC4377DBD817FE97F075723A21321121FF166ACC68E0FD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:26.090{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D36FE35FDA8699D9EF1865483D5C08A,SHA256=D4C6C1421A880209BF743AE76E8C706FC7B58536531C3EDC5FAED51381D203F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:23.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:27.528{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AE9A359E1BD5F15DCAD9E915CEACBD,SHA256=1C1A032C6E952E63996C568BFA3850B10D3822D9BFCB019F21E23068E14A2625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:27.184{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE716BC27F81F5F1AD141AE09160D256,SHA256=9C3ECDDA970EFDA42244D3305978661790C1978D873E2C6A9C7FFD5494F4C943,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.278{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-18224-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.622{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF0A22D12BEB7015D9EA1CD72D3AF8A,SHA256=361D573005E802A601D4F7A64384B6975FF6007C7956C0DD012D47DAE442FFAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:26.701{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51650-false10.0.1.12-8000- 23542300x800000000000000085333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:28.277{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3756AF92113F0405783CE0421077FE,SHA256=82D1CA75F00D906CE92784C8041BB8ABD74E540ED31FE6565D7F53256F48140B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:25.418{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-18383-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:29.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76FA46F722626F94BF36B4C680C7DED0,SHA256=8F7C4CFA6CD18B5B2E6D622690A8E66097695B3573D5FC7226AE2D28F4575193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:29.716{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB7A1201F114A5BDB5D0BAB11270325,SHA256=7BD7C1E5555609F37B525BB36A4BEDDA62DD1D284F698376C9753CA804006AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:29.371{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B963C210A7C2F8FEDD156865CFFE029,SHA256=A11F78F31BB2B6D89494E66F2FA0D3C40E81813BD4C71E8E1EA8446577DA9560,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.885{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local59135- 354300x8000000000000000118968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:26.842{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-20384-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:30.809{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7873EEFC2D507A0A471C9B0DC6FBA4F6,SHA256=5F4F6DE04F46532A31D694A368C7E8CBFC6636DAA25C43998D2D29AAB9CC7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:30.465{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B478354677E713565CF03FC3A2AE48B0,SHA256=349A002BE4AF048F6744363B5A048417C14342C10380A0FA2376C15FA6DACCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.302{5F3DCEF0-286D-623C-0F00-000000004202}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse31.43.185.9-22438-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local3389ms-wbt-server 23542300x8000000000000000118975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:31.903{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6845F86FCC7B73BA0A8C8E1668D1B1,SHA256=40EB46143C79559D28365FECA91FB64B82127D1256B52376005E10E9DC11F13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.559{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0535E309BA1A1F51A9A0A1C47B8E36C,SHA256=9381EC4CCFA03EA3B505859BEA396B2C3F77C344C20F14B4A4B96CDF0B070150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:28.947{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.465{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:32.652{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FD771D9E1673DCBD211A1CFC25DFE,SHA256=2248F37987AE2F2072B25B8774D6C03435F4A57C6CFC0E8A9BC84283F549B205,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:30.998{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51651-false10.0.1.12-8089- 23542300x800000000000000085340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:33.746{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A807A94ABC9F17CDBACEFFE792DCC68,SHA256=7D5FF4595FE23992766C2A1D7C718193C367747E44F692384F3682FF65C20267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:32.997{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CEA3C4345BC87A79EAE36E3CF3E458,SHA256=A634C55B631E786685D8D7B813834458B60539971247E7FAE4474A9B1A6F41E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:31.779{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51652-false10.0.1.12-8000- 23542300x800000000000000085342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:34.840{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E49056A4E42C212D751C3D352F06B9,SHA256=B46D0E5674FF7F57544002243EB8DD27FB214A5EB3FBBA90C7A11D0035ACD25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:34.091{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16721663E3001D2B3AEA8A39AA8B587,SHA256=93F3A64586A34E35DA31193C89525042F0CA7281E3ADCA9AC3C64E5C0F3BC884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:35.934{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB60AD6FAF0B7E714589D77F0BE0C0,SHA256=2A26DFF2E8DEE440AA94F0A6CF55D9DA9CB5575E56795F36E585F61B01D5038D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:35.356{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69DEDDEE3B4344DDEF1902489993F0D4,SHA256=87B5147327F243A0F8F112DA1CF1436C7E67C3A1269E7FC25872D14C1D497C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:35.184{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B556A1F5403A93E2F0E3DB5C292B4,SHA256=4DBAE3CBA089885C1C67A2EBB97024FD1AC02A9AD1133553EB2175A6A019740A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:34.883{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:36.274{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FD03FE8B16B51645892B63331C4C88,SHA256=DF890880144764D91FC552A48BC9210BB9E6062086EF92C84297D46263C683C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:36.075{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4948B9EF0B8C1F7C67CD5BB05613593B,SHA256=11EF0F3DA29FFE63E071A2B514D5F50B2C3DD69DB406398582A155FDB24710DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.680{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818743C7D229EFAFAC14BE13BA7A325F,SHA256=7BDF96A114453F9906F5E65A1BF78D69A22076E3EEA6BFFB316602E57DAF25D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:37.024{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90932F70C2E7E40EC89C987BBCCC2F8A,SHA256=0B77506A4638A4FC69A74CACBECCF84918DE1B49055DA1F01F73F138AB461B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-9400-000000004202}5024C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9700-000000004202}4748C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:37.227{5F3DCEF0-286D-623C-0D00-000000004202}884904C:\Windows\system32\svchost.exe{5F3DCEF0-28A3-623C-9800-000000004202}5168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:38.805{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9367E95FADAAE387D506BEEA5FF669A4,SHA256=5FFA98E514845C35B2BC0BCF0063A017F70C45A63B00C6CF9200047F4B80EA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:38.117{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE0FFFAA7BE2674FA6BF2B3FFD4B052,SHA256=1FFE29B79B54158C012141CC84026C97B6E77D680F25E84C39B0B545B9FD0D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:39.899{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91500C5AB8B2B612D35F98E63B61F908,SHA256=8E4ACA71FEDD6556CD8C17B2E0CC9A7325922C942124227661FA7D836D624973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:39.977{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BB32B7166362B5A2C46779BF04146304,SHA256=F1DAE0ECC769F3CD2FDA8ECBE7E123861E8F3C6F05B6B4AF89509EB3C75D2A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:39.211{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F0FFFE5F25E513BEF8841C2A62BA6B,SHA256=F900CABF8D1FFB8893CC61B4D2A85BDDE31A70DFF5696EB16A2AD1F6C033049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:39.149{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0EA08FB59EAFE8E878F08E301DADF3BD,SHA256=342124D65731AB4C3A0A01F0E65FCC124253710042BACC5C9AEFA59F8CCEAC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:40.993{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CDA7C10F9EBF39FF33C4189D3860F,SHA256=741FF36CBC4504AE8160AF010DD99190DD2A15281A509DC45225AF411EF5E3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:40.305{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C807F92892B5F627ED6744F3AB0B262C,SHA256=2B2771930621945AA23FA31F85EB690F442A5F0FADF5F66FF62539FF60FDCB8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:37.556{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51653-false10.0.1.12-8000- 23542300x800000000000000085351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:41.414{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E745EBC50173235F0BF0616468A04B3,SHA256=2AB90B5B866BDD0BE30E0AF71A2A9BC0A1B8A2ED7B0F48ED4F99C93030565F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:41.727{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:42.508{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A824121BA4427EC06BC3D17B0C25AB7A,SHA256=0F60A6ABB406784F425224552656A74BCE90C3AC52475FC557B6AEDBC0DF70E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:42.087{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120C8EBC2E494E5A52F929BC1FFDACA0,SHA256=0B3573F10F8261B2158E4C9432EF93171BAABCC1D1EF900DF21D6A29732B6744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:43.602{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2547777D08BD471CA619A12517438BF6,SHA256=C367A21902CA4245E9F7F6EC2F32505FE6009E6B2A0F084A2F8E6F3A5D4B97F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:41.473{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000119023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:40.879{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:43.180{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C33049490E6AEEFFE78586AE8C6845,SHA256=0C82AA75B94AA3F1E8831CFE2D8497A8790565E3DBE2185CC68ABDE0FD083E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:42.791{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51654-false10.0.1.12-8000- 23542300x800000000000000085354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:44.696{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E970C1D72AE168AB268920C96070AB7,SHA256=267DAC323F7B650E3DC20848C842DAE8EF54F8752F09D3255558DF1194B14573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:44.274{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA9EDCF21AD6A1684072557BD88CAF5,SHA256=258B0873A9342B61EC51C3C36F8C41B8D5BFA2EFA5B64DEE0549C6C3831A8982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:45.789{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E04CBE0719258A0A3F5E6E1DD4CBCC,SHA256=DC6A8BC35E8A47327B422FE18ED1D3E883A4390FB818BAA0BBF74DBC242FF53E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:00:45.868{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x69a3373b) 23542300x8000000000000000119026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:45.368{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA35D336781C285CD60616446DC413F6,SHA256=AC91B18A527516CFD9F1BAF8C55089764243C7B2ABB95DCE889D3B07A5AB3330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:46.883{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427A1729FF6D40A07A53BA710DA509B,SHA256=F35320049221CA666D739249857F1B1A53CC13799AEA24DE65335E71611207BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:46.462{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9837A54432A3A6EE0CC0D0A424903B9D,SHA256=0649B4267B0B31A8D41D8DC9697DBA1DDE0AF00F85ABAE79F1A023912A04FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:47.973{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EEFA0AFA247AAF0DA9BFC93F9DF691,SHA256=F8CCEDC5E88D0838B3CE6902296C97F51A40BA46D4C611D17B040A28790B88BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:47.968{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-161MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:47.556{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B12DC1657C6C9F93D5A7B3894AA7AD,SHA256=461FD8694F9581C6B38928F40D11A753B40C30F3EE95813A4F1010C5682A2918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:48.649{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE54B5C96606A1BDD6C3161A487B2F4,SHA256=1F07C4F635EC2FE9EA7044CC9EBBD1CD54345A82B74F70221B5F69EBE806FBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:45.957{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:48.980{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:49.743{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389BEBA37952852B3B2C7ED8FC8FE89,SHA256=73CB99B64C98D0C481744658C9801654A830B4900C15B913CFABB674D2BF84E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:49.071{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF3F35FD1B56EE8327FB4D200E0B277,SHA256=F2BF2DB30D16CCE5E14A8EFDE7F3BDECEAA6EBDBA7571BE4E005B5646673D5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:50.837{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2779C1ECD1A67EAB3D402B4DC47D5EE2,SHA256=13EB1D0066135FCAA80245EC80AD605E88A6C14C04245FCABF462AF216CC2055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:50.058{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B24F5AB80B9E4354C9504C032EEA638,SHA256=D280455C9926F0EE12A14AF67350292F63DDF6BE890845F48A176452962F7B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:51.931{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3877C6B6AF7B0DC6F2AE18FD5E15923C,SHA256=57EE4DCF3EAFD44125D05BEA4265CB1236C2805F48CD36D2DCE92034141056F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:48.744{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51655-false10.0.1.12-8000- 23542300x800000000000000085363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:51.151{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF57A621F5FF35FC77456D45210F94F,SHA256=2155F4112F5CA68B1A41A3C70D56B891C2D77D8E06B23F9DC403A436AAF76B81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.745{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.746{9531C931-4F64-623C-1A05-000000004302}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.247{9531C931-4F64-623C-1905-000000004302}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:52.245{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAFA28F9DA9DDD211A36B3BD3454105,SHA256=E443D09BBB6CD9A1F61A7AC2D5FC58B73E323099DD5A9883A78011C4534009B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.636{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C9AB1A570AFCCB8D72132F18196C45,SHA256=BF690EB24DF88E7675EBE4BEEE87ABA5EED73261276B15CF63BD52634E5A3138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.355{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7CF8735F01B7D474A110302A28FB40,SHA256=236C611DBC2DA1A60BA9B8889854DE197B26FCA0A3ABBC83B60F9580C972E0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:53.024{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EECC114CC53A299642E510A3AFF890,SHA256=44130874EA5233D4E4C062AC8F7FB376BB64754BD2DB32269DEB782D6A7C1E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:53.089{9531C931-4F64-623C-1A05-000000004302}19801816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:54.464{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC5AE20C41BEE3005800477EA8F7D55,SHA256=5342688F6477E06D1981AC89F297AB8DC3DEF9AB8CA82446AA795AAAB1C6829A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:51.988{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:54.118{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A679DEB43E5F57A28E04E8FE91134B,SHA256=735D803BEA4D1BB2077878D31681F52CCA86F5CCBD919666D84374E5864A12C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.917{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.919{9531C931-4F67-623C-1C05-000000004302}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.605{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22516E253480A72EF0DFCE51CE36B1DD,SHA256=FBAEEC48A9290D3F2BB2A737E8D8468C057762BEE62CD4FD7E9AF8A4C4FFDBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:55.321{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F584921483F9DDB22E68E6F13F421C,SHA256=72D66FCF28DDE598DE76AE0A7EA90FE20A580A32920927C2D3557EEEFBE515CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.245{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB2D3C1E09ED362DAA7A552C15606659,SHA256=1ACD006CC778D446A6D95DA96FFAD57E687C8941EB80E67DEAA8592019ECFA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.011{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:55.012{9531C931-4F67-623C-1B05-000000004302}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:56.419{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAD837D5F09A7BFE3C82F2CB01F25B0,SHA256=E5C6A44C29ED0B42B93C9D95CD603F2D7355A2118BF06BC89620EA0D892A3102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.700{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.701{9531C931-4F68-623C-1D05-000000004302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.263{9531C931-4F67-623C-1C05-000000004302}1880860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:57.513{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC160AFEC46B379C90D8267C7E6B1E7,SHA256=3857051109BA6BCAB5882447CD85A9151A87CC0AE31818C81A03DB59E98E8E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.528{9531C931-4F69-623C-1E05-000000004302}13202500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:54.638{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51656-false10.0.1.12-8000- 23542300x800000000000000085452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.262{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC9DA8457005904ECF4B384099A057D,SHA256=E6313B1B63347D910D29018EB6089A34B200D0EBFDCA4F277159DC64D9204BEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.200{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:57.201{9531C931-4F69-623C-1E05-000000004302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:56.997{9531C931-4F68-623C-1D05-000000004302}1088992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:58.607{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75FFC1F29F2E43A8FBDC02DED856B52,SHA256=D3027FEB50C3B8C601990A050BFEEFB056939F7D59962883D211D76C989684E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:58.137{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F54AE5F02F3AE4B5FFF40A2E55FEDE,SHA256=94F99F2CD8631CC1809577CFF3579EDECD6E728214579A11CF3CF2F91E8D5D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:59.700{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC51464DB3E94B4E7A2E5C1EFF3EB9A,SHA256=C4DCEF18A6247AEDB1471A5B8940366E1F6FF05D2D729C48E98188ADA83AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.387{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.388{9531C931-4F6B-623C-1F05-000000004302}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.231{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8BF568A2D5A3FD800C7E035E3FC4F3,SHA256=5B159BD2D2296559767AC36BE8409675858C553D3375A4A033ED0239648C55B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:00.796{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1068E5D16F053BB45EE43D393C49A91B,SHA256=6BB4524E50B16AA2F75DB5FF2BDF15EAAC1EB0F5394BA5096C59DBD869677F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:00.497{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54B6D152EC6E1F57D93C7CD6F038806,SHA256=AD6800E81DBF45219E1A13C3169105C823F277678682605FF8BA7A5B1DDAF129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:00.325{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25081E51429C09E103B7830FA3CC18A,SHA256=B097F3D1818AE9336EDC5159BA95F941F531D9EFA1D5ABC326B5255B81104C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:00:57.945{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:01.882{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF7DB81CAF8040B609AFDED921F7024,SHA256=6F97154F0B9F331D353F76C24CF9C7717B96451A510954D1C2316A1C9B609D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:01.418{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF434BBE3F04DC174E510A74ADA1231,SHA256=FB29CA276861A614C2F035B02E78ED02E55D56886FDF0BD718ED14CFE5CC83B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:01.003{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\respondent-20220324081453-161MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.977{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54CD2C4C375AE615070F9CF160ABCA9,SHA256=3D308545709F7FF4E9ADC23B6B7A4CFFD655F5ABDA5A87A7D30339F6B172BAC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:00:59.779{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51657-false10.0.1.12-8000- 23542300x800000000000000085473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:02.512{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDC1B981886BCE8E3B98799962A4377,SHA256=3D4CFADE4AD1DD966263087892D6E453D566B8D80BC6E900A5AB2A41DABB7021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.541{5F3DCEF0-4F6E-623C-A105-000000004202}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:02.008{5F3DCEF0-287B-623C-2F00-000000004202}3064NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-055648375a9ac07a7\channels\health\surveyor-20220324081451-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:03.606{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73264A9688E454377EC9E049CF05CAC7,SHA256=31E36C8EA8559086E21C690412778C0D31C3DE7F946285187447416B59CFE493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.868{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.869{5F3DCEF0-4F6F-623C-A205-000000004202}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.587{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E46E0376D9CA1A7CCF10CED3FFC2CB72,SHA256=FE84343CC5960007C43C3755CFE8E9BE8C0A0157D32B943520537C2A26D022FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:04.700{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19E973DA9D2FD947F3534465A653D71,SHA256=6499F9C29E0B77AD479DD0AB3261E5D12997E6DA4182D00E790EA060064FC68F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.759{5F3DCEF0-4F70-623C-A305-000000004202}26766856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.540{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.541{5F3DCEF0-4F70-623C-A305-000000004202}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:04.071{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625EA5D3C36B95BA07FBFEA62D9EBB67,SHA256=D09D639F0FC69245983491E367FF7FD3A2FAB73478919424DF8497400CF26D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:05.793{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4534FAEE417703D260E25222E9E5748,SHA256=CEF9C695F1B85578929412BB0A96EFC87E908CBC1D9B8CDA852916AE1C3C132C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.337{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=02A186CE156B2298DBA5FF1FA95404D2,SHA256=E759800463865111B606F0B8FDBB84EBABFC9EBEE23992651A1913A9D649B145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.165{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD896851FE1C3B40D8E6602CAD2B10A,SHA256=A000E84D12D099BEB591D11CEBAE81712DAA2CAF4C208D4D2187F1A30E6F0003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:06.887{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F98CC0FDFA72432391E989DA80AC58,SHA256=1AF863964D4E772A0CCA83B7AF0E6A96C04093DCF9B831F689B75AEF5C053514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:03.816{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:06.259{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9CA571E4AA0194A6F4B5A3EBE1D28F,SHA256=29BD4C21466D36C637F704AD646DD3E95B4AEF36155972217F3890B49D748B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:07.981{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107560CCE4058084265BDD4E45554E2E,SHA256=C4636F508A60E503EB56EC4184FF036BD43B989B3F65409DE33F7874BFA99ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.524{5F3DCEF0-4F73-623C-A405-000000004202}68726888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.832{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:05.832{5F3DCEF0-287B-623C-2E00-000000004202}3044C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.353{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DA0E27E4403AF4EEAFAFC9FF15451,SHA256=C1DD924D3339DE1BA1D357E59FD4FA6E3098C81ABC46DF04880358703101A7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.321{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:07.322{5F3DCEF0-4F73-623C-A405-000000004202}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000085479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:05.623{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51658-false10.0.1.12-8000- 10341000x8000000000000000119109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-286A-623C-0500-000000004202}404608C:\Windows\system32\csrss.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.977{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.978{5F3DCEF0-4F74-623C-A605-000000004202}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.477{5F3DCEF0-4F74-623C-A505-000000004202}4356752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.446{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD044C7FB35068D2CDAD9EC422BE1462,SHA256=E1DB75BBBC171E220B4F6039B48E9D1AB8DFB5C231A6A118250E66E7F7D3A995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286A-623C-0500-000000004202}4041324C:\Windows\system32\csrss.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.306{5F3DCEF0-4F74-623C-A505-000000004202}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.759{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977F7F631F10DF3E0E0674A9634A2333,SHA256=BAB5AA2D933629E57C3E8E5534353D8D0483AC3FB205B87ECA3E20CC9AD3E38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:09.075{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B756237DC99DB57F3BDAC2AD87CCBB,SHA256=68D6DB9D53BA1FD847F0043D7258C61CF13F2BC7B03CE5B72A083AE5DD0D494E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-287C-623C-3C00-000000004202}32843304C:\Windows\system32\conhost.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-287B-623C-3600-000000004202}2384C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-286A-623C-0500-000000004202}404420C:\Windows\system32\csrss.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.649{5F3DCEF0-287B-623C-3200-000000004202}23443564C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.650{5F3DCEF0-4F75-623C-A705-000000004202}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5F3DCEF0-286B-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:09.149{5F3DCEF0-4F74-623C-A605-000000004202}65324472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:10.853{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08940048F06AB0E7C7BE6D279DCBF4D,SHA256=3856061E72DD1EA4541BAA82A13656EB3F83115063939663C85A8DB9C0CE728D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:10.168{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B8E02FB69FEA7B218D861076BDC75B,SHA256=FCD605AC85FF9A535A0C3D875607092DAB324F946A932201531E4DBEB1227165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:10.165{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EB3E86CB37CDAAF6F94647E9671AFB,SHA256=A23272BB36A0CA51E2BB20A0E14A27ADEF6E48531272DD7FEFEF67B7F74A1FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:11.946{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C35BC0D8F5B785F50A566FD6BB46E28,SHA256=E59C62316264D0E80A03FCD9997FFEE995038859DF64B916C39EF3BAEE1A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:11.262{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F31CAE5D9805AD33C6E4BCA3E8CC9,SHA256=B777954EE5C700713C68909D91E7E6356D3073C3BDABE2F31505BDEE383880F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:08.910{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:10.641{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51659-false10.0.1.12-8000- 23542300x800000000000000085484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:12.356{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008631DC40134B7BD4CF16ACF25F5E88,SHA256=972598BC083A1C0D68C628F0C4338C23E46AA386AF049DFCA3993B2EB7348473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:13.450{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DC4E481F0959A52FAF17706F19985A,SHA256=F84753956D096E24C303E40DDE74182696D7C79938B49B58DC2FE9559E717E85,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 13241300x8000000000000000119128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Config SourceDWORD (0x00000001) 13241300x8000000000000000119127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:13.681{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E24E79DA-871C-4F1E-B921-5D1DF27ADC35\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E24E79DA-871C-4F1E-B921-5D1DF27ADC35.XML 10341000x8000000000000000119126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.665{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.665{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.040{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4748F976B8BCAE798E7403D28D8BCC,SHA256=21FBBFD392660BA2FC628D1B131F1D2C608E4CE7098779620BCF563141FA7F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:14.543{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F204B5BA6CBFDC44F498175AAB33B7B,SHA256=50A920161C309B52FCB4AF663E156D41557D722AFD9AF88E81432E46A20964F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.540{5F3DCEF0-286B-623C-0B00-000000004202}6204176C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.134{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF510B16681497DBB4835C9B1A5162F,SHA256=D4A4662D2CCBCA37234F76743044A0B73757C6F567D4F3E059F616F8C2C15B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:15.637{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F50D7EE1EFE8672301229CADB9BB6CF,SHA256=9E1D3ED47D7682ABD5674BCDED39B82DA2A53CA107095C16F6468CC2D4BA68A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.634{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97BAD77B6BA014AFED5499518933049D,SHA256=A23ECDE788FB93E50306B4ACC2176AE67C4DB8BB53643216348CE9B478178000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.556{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.556{5F3DCEF0-286B-623C-0B00-000000004202}620744C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.459{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c850:1dd0:9c7:ffff-64465-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000119144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.459{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local64465-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000119143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.452{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local58168- 354300x8000000000000000119142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.448{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local60668-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000119141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.448{5F3DCEF0-287B-623C-3000-000000004202}1396C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64897- 354300x8000000000000000119140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.447{5F3DCEF0-286D-623C-1400-000000004202}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local64897-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-891.attackrange.local53domain 354300x8000000000000000119139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.428{5F3DCEF0-286D-623C-0D00-000000004202}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63287-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 354300x8000000000000000119138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:13.428{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local63287-truefe80:0:0:0:44c5:ef28:42ec:7b5win-dc-tcontreras-attack-range-891.attackrange.local135epmap 10341000x8000000000000000119137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.384{5F3DCEF0-286B-623C-0B00-000000004202}620820C:\Windows\system32\lsass.exe{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.227{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D4E17773BBA978ABC0E5136DB1B9A,SHA256=E6A296BF7FAC67DE66ED95BBF68091B22C54A3A413DE9E27E266324E71023C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:16.724{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8314C4EF9CA2F100068C59B9276D34,SHA256=3D71358FB4ED3A512A41900550C2A2F22C6C3ADABD3568A0D7827B2A9087D874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.144{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63290-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:15.144{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63290-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.847{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.300{5F3DCEF0-286B-623C-0B00-000000004202}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63288-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 354300x8000000000000000119150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:14.300{5F3DCEF0-287B-623C-3500-000000004202}2112C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63288-false10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local389ldap 23542300x8000000000000000119149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:16.318{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DD35A57135D5DDFAC66BF3592DBDAE,SHA256=E0E49D87BF8C12A58A4BBA7E88EDAFD047404AF9490BE4FFF009FEEEB0C8CC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:17.833{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AF1D09B4ED054659A19BB19E171605,SHA256=D24A785CCA605D3A82BB37D6E00B33223B72BE070773FC62EEFAD262B75E86EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:17.412{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF76F4EFE504E609C1842D5ACB4D1DAA,SHA256=F2C2F4B01F07C92B3B45BE00C75305F170A3DE95DC0AF4FF18B56549A0AE50AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:18.927{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D5E4201B66CA76E341DDD13300D88E,SHA256=6924B518BB64BFAAD02B7E19982769ACB11FD1DE076A0B5345D49320EA55E9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:18.506{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62545F939A4CEFD610F74FB079605CE7,SHA256=30196E19AB3F6DE6F35ACAF483DCDC7F6CC0807389BF9C8C86F4D1177638BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:19.599{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924C130DF7C25A37BE78FCB6C9DB9C53,SHA256=DAF5B909019969466B073F26C8F8DD56940FF5350E4354A65AFCF68DC685494B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:15.756{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51660-false10.0.1.12-8000- 23542300x8000000000000000119158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:20.693{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635641054F56CC36D59FC2D8DCEFE8D8,SHA256=CA7A1DA43EB5479BC9C352DC245D5DB12A7E4B4F631A02C2794286118CD58256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:20.020{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF452FCB7F7ACD13AD3AE4A3FD1E0681,SHA256=8DCB17ABB0F6440BC015506E820AD1D8674A6CFD00E257BAF0684BF79D580BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:21.787{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926E222D70B9FBD64D6FEEBF0898AC72,SHA256=A42F5CAC61643A1BBE43B87FFF3062907CD2A654B605596CC812F42A9F76C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:21.020{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198248817B849D16210A3F6A4688C745,SHA256=CEBF9A1A4103E7D5A41FEE4EF06BD41DE6B0B68978D1F8025F01EB00370BFEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:22.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937D188DBDF6A5C900D5F25E3D0E0B45,SHA256=426E4708C8E4D243B9ED53BA8B6ECC5B2D5D8D35BB0F392AD29511D1E6AA3FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:22.114{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD97721345406CCEEE502F1D15F39A35,SHA256=89115CE2D9DD3A007A7228DC9B5AD74662744FAF2A31EB127B10E1231A41742A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:23.974{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEF5B5E52159FA086FE003FC720620,SHA256=C1D7797B286AE92248E8F22240A43351DD3FCDA4953203B6865EAE786D5B13E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:23.208{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286D5ED096E21FCF4E05C9E259E0783F,SHA256=7A3C23BCC036B7FEB70025FD35449AFCD6DD91A7232CF982A5AC090E8066BBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:20.797{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:24.302{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0870A0652EB3906E300931647253C5E,SHA256=A26E259EDC887707E8B7AAB68772F7542F0126FA8AA67E2190331AC184BF9934,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:20.756{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51661-false10.0.1.12-8000- 23542300x800000000000000085500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.395{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62563B14CCE1C251E902BB11AE109225,SHA256=D9097A91C663CAD8A4DA6515597BA7C2C64309E10848448B70ED69B98BEBDCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.364{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95124EEC18E29F318A828EAFCA5D6905,SHA256=D1C5E044CEC00D0DF3ABE9FAE0502D38C8BD514A562B089253FCBD37B39A0081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:25.068{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32AE429B93AFBED817497F6CD798BE7,SHA256=5A6F144E54D55673750CA824920D88DA898CD00A01849C796F0B1B9C3211B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:26.489{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834454A789CEA626D4E12D9083ADBEBF,SHA256=29C02FEDA4EE7735890D1C6068ED4E4A6712B9B56F661E1AE525A52A985E7180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:26.162{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F0689D546646A6140E3A8E451274B3,SHA256=2600F7691AB97D1A3E88A12F0335569443667AA8417D8C46BFE5E2CDED358394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:27.583{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0068D3F7E807BBAC7F5AC0EEC128CE2,SHA256=FA447A6AF587FF5C7774BF79819263AB2A5E95D507B7205789494FEE5F096DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:27.256{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D6D3874E57502DFDE8A026762264FF,SHA256=3EB503CCC1FC4F954A72A65D156793B7F17C569466743282F3F011EF0E401950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:28.677{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4A73B815BEF16A55FD5BCFA4A41A55,SHA256=42E6D18965332424ED9F51A8C94EC138292B0ED344B407E01AF560A6DB0CED45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:28.349{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8615DBA994A85D5EEB4D3C6C2CC000F,SHA256=105F71EBCD671962E9ABA7B0C568BFD56B810CA65CF1234ADD62C0CE1247F8B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:25.789{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51662-false10.0.1.12-8000- 354300x8000000000000000119166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:25.969{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000085505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:29.770{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5085DE0FFE84BEBFD3093D9D29D3FA4D,SHA256=22C165FB21BC34BBBA3A25BE92D90E093B075D4D26BC2E7527C0930D02526825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:29.443{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F805D24F51705365770C960B87AF5C45,SHA256=AEBAF3CA2FBF3A6B2E53B488C26D849E032F6DF038369FE0C0A643C0074FFDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:30.864{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D487F3E566986ABDE7345FCCB1314,SHA256=A07BB152C6A826490C2BFB0DCC55F10C443B252BFC2B978796DD59003081949D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:30.537{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B442B569B69FE88BE451DCFF39317512,SHA256=55AD3101A36FBC401559CC51E17B415B74369E380D594F6AF0D46EC8553EC696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.958{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C208AEE90013D0A3DCFB729EC2C0DD,SHA256=5E0F03A9DAD0732A7640F320173FC8B6A573C38113638D17DE55C1366F23608A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:31.646{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66397264468C3A575614CBF486F7E13,SHA256=BD510BA25FB739E24985698050AE9F6814F7D76733C3DA013F7504BECC242EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.489{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:32.740{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0960025BC174972CADCC4A7828AD698,SHA256=FEFCF5CD54AC16019C81F83CFF07DC54A6BA559459227427BC3EA514F73792A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:33.834{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38B000852698413D66FCA7B9F5B12F,SHA256=E5BF670102CE0EFA70BF8F9070B5F7888A4D36A1E11A280D64B58F96699BB2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.570{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51664-false10.0.1.12-8000- 354300x800000000000000085510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:31.022{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51663-false10.0.1.12-8089- 23542300x800000000000000085509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:33.052{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77FA9E2E6B1D548C463CC8C421B2EB0,SHA256=2CA866D3A859A8E26970672A3CD61454F6E35B60A2671E583419A96CBD30560B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:31.000{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:34.928{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A20612450A39B12DDE7EF8A0ADB9B7,SHA256=E2A200654FCC69F7D0FE7C7067D1553E2469CDE7B6162E797600492518B99D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:34.146{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAD3C923147489FEF35CA05A3B1C180,SHA256=652D3679F9E7055CB5012F4D2434DDF29D2C5F750A51F26151D5F2359128DCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:35.239{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B145AA6225572FF29F013E982D45637,SHA256=3B618DB7DC1784B5BB58106FFD19304CD020E0DB0C2F89B468A487668B1DEA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:35.615{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=114A00672C403EE017423F26D365EED9,SHA256=D3A43CBE95D7DF938307031DC311C1B91AACA913E9ECDB2CB06DD30B0B1289DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:36.334{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AECD7473738F3763A358C0FB2BA315,SHA256=AEECE48D7EE5741EA849F1744678D37BFAFEFCD0915277E36A8C5277166D6F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:36.021{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C487FCBA89AB9AF436EF9B1EA03062,SHA256=542E4498C41E51D5633076123204B9D22BFB9AFC404F8F5AEA35310543A628C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:37.428{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C72CD9A5E0B259C9D6C6FDD3345DA6,SHA256=A58DCCBE2B514727DB30104F8DC57F9548076E3E3F827E7780147295FB3F86D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:37.116{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73EE8534DE858290C7F610AF023122,SHA256=8F9F411F7C71A32606CBA8AC257EE143D2FDD0DE1F0E210A0DB822A00B1B0612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:38.521{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6369718FAA542061DA74FE691162127E,SHA256=8CB6F938263E0A5724C04317F0A2007690C5AE60F2539D9011E985B8841F6437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:36.954{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:38.209{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F97E91EBB19583E21CC3A5ED2DA9DC,SHA256=D35AAAC3CBFD78A1C40848A7C6CCED4E28041E83426B059D707909322DA8B312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:39.990{9531C931-286D-623C-1200-000000004302}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E739F53B2E3208DEC3FD23CD23311CF7,SHA256=D3C8C504403F14E1CCFAA8E863D8700520D05547A1A0EBEC76ECB1755B654F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:39.615{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119361A3098C69D2EB165D9D32873C7F,SHA256=BAF6D8AE305A3F610A45C2E627EA5059389B0E590105D77F62C2CD21CB84EFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:39.303{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DD6F779F106279A2A58A42754A6D8,SHA256=7F1162A07227842D79DD5BB89F9F3323453EE036A59774DCAED64206228537CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:36.758{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51665-false10.0.1.12-8000- 23542300x8000000000000000119180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:39.163{5F3DCEF0-286D-623C-1300-000000004202}488NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=44274B1636EC392E3229715F8BBB46F7,SHA256=3C9CF0AEFA0130A5F294C9C64C330DF34B1811C5C9186E98BB13A77F7DF9741C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:40.709{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9336F9B74F936CAA65F988304FE9E49,SHA256=8C78E365ABD91EF974AEE88A4734045191C5F62A71D7FED315E56274F7171C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:40.694{5F3DCEF0-286D-623C-0D00-000000004202}8841160C:\Windows\system32\svchost.exe{5F3DCEF0-28A1-623C-8B00-000000004202}4584C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:40.397{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C03CDE03FA10460C1B4F610045BC7D,SHA256=653D15751DE9A2F4EC3DDA4E1AB781F8C60671BC5BB0F2C7C82BFA7787DF1C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:41.802{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA1DF54370511EB74D6CCAF6751164,SHA256=713B8C6A1702891D15BD86C830F98E85119793D4EEBA85E7756666CCF58FDB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.756{5F3DCEF0-287B-623C-3200-000000004202}2344NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B25FDCC12974A9C381F03B139373D5A,SHA256=CCB13157BCC6FA0284F12C6446F2447FFDD0F4F85F98465868293CDAEA96B09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.491{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A32B6897E4280DDB3503DE67818CF,SHA256=E14AD04B0917539DCE48E6DA55F8999F0A6E998C475B062626C72C3366CFEC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.896{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AB74771213B9B3CAE3F0B8DE489FF7,SHA256=EE67B489CC2B667F8007A9DFBB571493491AC2D273AB112C63FC54EB57DF1F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:42.584{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBE93BDF4145AFAFCA0F8CE0557C2B,SHA256=15AEDC6FD7E5E9D72F3A10C09E033B28413C2D5BD377312F59CC7E5DF45D405C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.193{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-1300-000000004302}700C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:43.990{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFB4D4CEE1CD2D7C8D188D653051913,SHA256=0FC67C89B6D62CB0D9B9F218C4D56D8E930E779E14BC94FAF80B00C20BEE2234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:42.001{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:41.501{5F3DCEF0-287B-623C-3200-000000004202}2344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:43.678{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCDDC83545E415614A5A1E0410A64,SHA256=22B85C6EA68AD90581E77D8E716EC393B1919889A8E7783D7598E7EAEF78CED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:44.772{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3A8801FFE869EEE69E2FD3F93CA07,SHA256=D59FC2AF5BA9713F4986225B4DE6D6C945455CC79578FBA9A5EFFA64331C6DAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:42.757{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51666-false10.0.1.12-8000- 23542300x8000000000000000119191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:45.881{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061B940A38A3523A88D84041B240EAB,SHA256=C459CF5C71E9557E752ECD2255B605DFEB5E36B0C07BCFD4C94B5F4447523AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:45.084{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACB1A9A74C576B78109644B47578C59,SHA256=EEE90BB8B574EB77A724548C265CE45815B05EF046EE9F27501F27354348BEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:46.975{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB1EA5F99BF6B8685139D3863277BC0,SHA256=72830BED8EFB89AAAC0E45AB359A3C20D8C1BC44831776F0BB6B7167552B2CBB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-SetValue2022-03-24 11:01:46.944{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d83f6e-0x8e0aa47f) 23542300x800000000000000085529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:46.177{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A06550C8766BD62E62C2F749E93ECD,SHA256=CAD36F83C5F17C623B9923797526FD222083A947745E26C1090DCC570C334FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:47.271{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105EEACD1B3719B6B6D80845A1A71760,SHA256=204897B43AFEB0242BC877082BECB71A6FAC3C6CDE9CB0DD9427AD6925861A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:48.365{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA8AC2FCF4DD431D8BA9F75C38BEDB2,SHA256=0B3FD8F3E1F948B3A4EC9D632EBFD22A9DC9CBB888C863F15E414AEB8E50E7AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:46.688{5F3DCEF0-286D-623C-1100-000000004202}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000119194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:48.069{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302FEFE709721C66C30E12C22D736415,SHA256=AF0527E0EE3847BBB43FBC3AE97C88815FFE6105CCF4E6D67918F27665EC59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:49.512{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\respondent-20220324081441-162MD5=E0BA989DE2EAC2D304FA728EF5181BE5,SHA256=79811ABCB3575FCAAAD7A2ED1966FC2D319842A68AFDD7DF3600AD47FF32DF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:49.460{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B03B779CA1F57A3ABD3B19573E42DB,SHA256=1CD1D1BF410800E16E1A910708CB451EA34B0A419F05F5C9D3D761F3763313BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:49.163{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E298AE0CF393FECA109034B2A8D55480,SHA256=2373AFDA229F3A8762BD047F5A3B6A280323324E5FF4BC089D7D1E126E8872B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:50.554{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F680AE5ABC7D01425521C14A4B2A766,SHA256=837C9738B9B7A682AD686D3DBA1DDA5B757955EBCBF9A2DB581C89C162F78923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:50.511{9531C931-286E-623C-1F00-000000004302}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0461bb3aaa367e86a\channels\health\surveyor-20220324081439-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:50.257{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF54E181263FA06B0A886E6A49FD1C,SHA256=ADE3121FE3D5D0753040C4EAF5987DCDA2989F5555C5FBAFB06C44E8E083CFC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:47.830{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000085537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:48.774{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51667-false10.0.1.12-8000- 23542300x800000000000000085536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:51.650{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654C1E809B701F68D8903134D35AA797,SHA256=16FD3DE6754F0D50737C9BD4AB769B18DB34F2FD6E73F9034923B0C973F3D7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:51.351{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE61CB09B11650D9377E55C234FE074,SHA256=9B05A54F61ED6C8FEFC4B1EB94B5F5075BBEB8460A2ECC7B2F98BC47854A8847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.760{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.761{9531C931-4FA0-623C-2105-000000004302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.744{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AD2C572E9E0E977EB29264E614F47E,SHA256=9F5FD381078CB5B9AE4926A75B635A7580E51DB914A948D4C4381A3500C840A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:52.444{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBEFD3C5553006F2BCC768E6F5EC76A,SHA256=D1AD32CB3303BE95DF084BFF2E97BAA7C4F670BE7BEDF3842D5DAE5BD9CCFFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.260{9531C931-4FA0-623C-2005-000000004302}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:53.838{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26F46403F1C1348FB58DAC9FAB5967F,SHA256=573A29354A1E4DE5DB27075F73ADEDE5BA27A4EB8AB1E440764D1161FC71422C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:53.538{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B5F957646E4235AB99D37D13C243E0,SHA256=31A1F1AB7AB433B694FC49EA5DCBC03DD16398E486E62389D2A54B42490775AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:53.369{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AADC7D3C67BAE90BC84246CAA6B9409C,SHA256=1781E96A7856E1E7124467FB31FC49E8DCA27FA451B4C87F145068E7C9D9EB6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:52.994{9531C931-4FA0-623C-2105-000000004302}35882028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:54.932{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D1DC351853610DD1CD44F612161A12,SHA256=75C99220825FCA0BC8A50FDCA53ED523F4A657CEE832528E7024C6521E6D5430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.632{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC6DB5A077A03C599692EB03AD3EF50,SHA256=85A658628372EB4EDC991DD2572A594FEAE1980EF1BC63B8C549CFBC687AE2FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:54.585{5F3DCEF0-286C-623C-0C00-000000004202}8246824C:\Windows\system32\svchost.exe{5F3DCEF0-286D-623C-1500-000000004202}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:55.741{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87700CBF007C72EEE8C4BFED1818067,SHA256=EA79F15130FEEEF875436862DCA9EB39A2C8D484C7A2AC6E315785630A3FEEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286C-623C-0500-000000004302}408424C:\Windows\system32\csrss.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.933{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.934{9531C931-4FA3-623C-2305-000000004302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.307{9531C931-286E-623C-2100-000000004302}2000NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0577817C2B3827FB45A6B65D3B463EA,SHA256=326421748A2C22D3B6C3F51C8AF10E48B2A161484A108AA0860088F16BA8EE82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.025{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:55.026{9531C931-4FA3-623C-2205-000000004302}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:52.938{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:56.835{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A17C49F1F6977FCF51FCC28222FA8FE,SHA256=DB13F5A5A8105EFDCDD1E8E0767A4793FAEE33AE657CA10DD6C6B67E7CA350AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.936{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.937{9531C931-4FA4-623C-2505-000000004302}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.702{9531C931-4FA4-623C-2405-000000004302}26883704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286C-623C-0500-000000004302}408528C:\Windows\system32\csrss.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.436{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.438{9531C931-4FA4-623C-2405-000000004302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.280{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD99F0752C1DFE7ACF68455623B040D,SHA256=07DECE15BACCAE2C1257FDA7BAD77B0C3C90AB12A999581AC991E7D89EBDC22C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:56.186{9531C931-4FA3-623C-2305-000000004302}7441896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:57.929{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D29067EE53A5A5D04ED3C2AB60F80CF,SHA256=7396DABF70DD24C39B2BCFECE46EAEE37EA448DBE1AA74BC891233B5E2C27323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:57.436{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4CF01E6B837159F89B0A8C63926BD1,SHA256=F1128A21C79620FEEA0121F6DAD5544ED60A11F4E1E942CFD2A995F649FDA806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:57.202{9531C931-4FA4-623C-2505-000000004302}39363604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000085625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:54.793{9531C931-287C-623C-6A00-000000004302}3024C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-971.eu-central-1.compute.internal51668-false10.0.1.12-8000- 23542300x800000000000000085628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:58.265{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B650FF81D7D2A9A671CEE21684C317,SHA256=FF72A0C343580A1BA8CA14EF33B78DEA7EA25CD8134005A4CCA3D5E44D9B0323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-2870-623C-2D00-000000004302}28322852C:\Windows\system32\conhost.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286D-623C-0C00-000000004302}720328C:\Windows\system32\svchost.exe{9531C931-286E-623C-2500-000000004302}1436C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286C-623C-0500-000000004302}4081060C:\Windows\system32\csrss.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.405{9531C931-286E-623C-2100-000000004302}20003200C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.406{9531C931-4FA7-623C-2605-000000004302}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9531C931-286D-623C-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{9531C931-286E-623C-2100-000000004302}2000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:01:59.358{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DEFA8A0A2391BD8ACCCA37FE9A072C,SHA256=90E8D1D71DA92471B3BD3DB91B9893D66DAA511C1E9D58123CDD0A83D1D95017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:59.023{5F3DCEF0-288D-623C-8200-000000004202}3916NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E5B57C906390CF6CD577C5E9E89FBF,SHA256=377D49062CAF82B57816921B3F85A310E981CEE559CC0A1634D65E4CC46B2011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:00.483{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD66CB7789A7E70E15E50A4C6F0B565,SHA256=2AF3EEDCEFF152C1CA6A57F8C7BAB51AAD4F553474A88A1FFBCC319044DF61D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-971-2022-03-24 11:02:00.452{9531C931-2883-623C-7B00-000000004302}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD865DD694D92DEA4F481A56E94A534,SHA256=4A293EBD79DCA756239E24C66B71FF96AFCFA0AE940E3007E961B381A169592C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local-2022-03-24 11:01:57.970{5F3DCEF0-2886-623C-7800-000000004202}3396C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-891.attackrange.local63299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-891.attackrange.local