23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:36.425{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:36.281{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAF60AE2EF761B99BAA70DA70C9069D,SHA256=89697F9ED1378001D597E44A37FE81043428DAB457FE470A55489BE852EF0B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:33.169{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65316-false10.0.1.12-8089- 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:37.460{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:37.296{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0E1694375412F82034CB5B35E5ACA,SHA256=4D064829A5C1A7C049EAF2F5EBF0017663AAA32BF34409D1A503964BB4A7D93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:35.832{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local62928- 354300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:35.030{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65317-false10.0.1.12-8000- 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:38.495{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:38.312{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D69E62F5F620345B0F341A50299032,SHA256=EFE6944D7FD633382C509FFB304CFAD6DA6AA508E1A0C2E704C07426C84EB3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:39.525{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:39.327{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3009532A454F10B95248345C9D12D6E,SHA256=291A79AB1E7186BCCA88CF64D485A08967C2D5BC7C7229F5062DB688CA731D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:40.540{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:40.343{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0471090D16F38242AFBD2A75D083A7B9,SHA256=CA8AB3AA8EBB2BFE9CC34388F82E3985C6500CCA755F0BD1A619AD0B41486D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:40.409{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=DB57A48F0F4317395F3C9E6B97B17D7E,SHA256=ACE9AD158BA76BEE1351E7A252238182C8439EDE77A9C7D684AA56789C0E97E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:41.557{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:39.901{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:41.535{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF12276DECD99CD0E321A5A02EF089,SHA256=EFDDD3FDFF9B0C5C893031C237435C23052DF65646EAEFB626F328F2F56F0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:42.576{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD76292B3BA5C6270D4656A0E7D15A5,SHA256=5445CCB0264741C7EB14AA60B8599D341B61D4AC9BCE1F9AA5844E67D7548415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:42.722{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7BD544E9C8A622FF5C17C4324EF913,SHA256=DDE93D5BF8B2F01DB87BAA06B51DC200BC4B26CDCCCBAB9EB8ED8E3199040000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:43.785{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86687244FCAF19DAD5063766AFAE7FE1,SHA256=6933C4308D59BD52279F0E1F3BBD10B0CD38049B2C528F1B2EB2E210497F241B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:43.592{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:41.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65318-false10.0.1.12-8000- 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:44.623{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F24D3C67D530A51771926FFF898652,SHA256=5C2E55B48584F3A16658C18C6021EC1434A20684B897200F93BB5FC1134B8974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:45.623{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101818A329F48EEC1D148AFB20704AC,SHA256=88D0097D744D921077551D035EA7AEF096A1C663166218AF07AD60DF94B3B5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:45.019{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EAD8B52F46C18D841A507ABC270854,SHA256=5BF5E1D8D25B269607C3850ECDB35C3A6E9C48F6067ABB58F7E3928077FE5500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:45.423{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=3025A872500B9A74603D98DCF418DA04,SHA256=74D82E76494BB8D8656784F3B8222CD057ADE89B6C751340067FED4800C079D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F13B0035-58C7-49C5-B747-E6C0B33C6DA0\Config SourceDWORD (0x00000001) 13241300x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F13B0035-58C7-49C5-B747-E6C0B33C6DA0\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F13B0035-58C7-49C5-B747-E6C0B33C6DA0.XML 10341000x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.822{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.822{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.638{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:44.905{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:46.207{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA74043D6A597B6E91B0B30A10BB493,SHA256=546F41BEC9228B4B0CCCA5082F72D5310031C965B59B488339B30BF530EA5F33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.658{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E83B3DEE815309564671CF85727EF,SHA256=042AC1C8C36CDF065AE567A1CC97637C0D381FD49E38410534F15E8F404F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:47.410{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16EFC21662DD83A24CF55CE0FB09937,SHA256=22ECF24CB1EC584A40B58E10BC20714EE616FD1D5BF0A87FDBCE595C7656613B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.150{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65319-false10.0.1.12-8000- 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.721{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26534B5D7C1CCE4416B073D8ED75264E,SHA256=52E5C245A0021210A7048447AC9708B6D12DDB19C3A7054CFD61271BEF2E1359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.721{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4B089F66476B39CB077E8523BDB776E,SHA256=D12844EC1927226EAFFFB180514A330237661D509EBC57F55E8842EC17CDA00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.706{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.706{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.674{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C793EC8E9DC57169987343FFF686E,SHA256=6FEFB242053E54CA93D237804FF70B6E3C0F3547FF92F35B06FD07E7AA570215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:48.425{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A0A11B9FFBC1438BFC0D341C0B42AF,SHA256=4DC2ACD38C96E38F1B1C51446943577553BDF6A16CA5308B246BAD394C6AB681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.827{328C47E9-32BE-621F-1400-000000003602}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:100:0:c840:3a79:8585:ffff-51387-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.827{328C47E9-32BE-621F-1400-000000003602}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local51387-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.825{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local54563- 354300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.824{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63892- 354300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.798{328C47E9-32BD-621F-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65320-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local135epmap 354300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.798{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65320-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local135epmap 10341000x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:49.690{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF429E4381071BDF42152672A34F8D,SHA256=EB3B87C7B100C699911B274792F3B430A45F83C5ACAC6D4EA4040011F9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:49.441{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A87BEFAF3B41BFB650C4201AC18F6A,SHA256=51BD53751FA93E039F0AB0AE06812BE4E8EB608719FC2D62D2EF6534D16253E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.664{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65321-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.664{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65321-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:49.254{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9B140EBE15143E5E13FCC4EFC8963D9,SHA256=8D8F3C30D2C64557F02EC761D1E704241C2CFA7464FCBBD4F85D27EFCB4B6007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:50.705{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ABDF22332A90CA519D7BD0779C2BEB,SHA256=98ED87032345F3E6CB1ACC83442C46D256C46C3510413D4951CCB8EDD5231496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:50.457{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D827D1EFF5890581CFCF9294D5CC4CC,SHA256=85321F90D0F5ACCB42F2DDB2FEBB93A164F0370514804C30B3163959B880B8BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.495{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65322-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.495{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65322-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 11241100x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:18:51.804{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXEC:\Temp\idafree76_windows.exe2022-03-02 10:18:51.804 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:51.719{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF435027F5B45D03896B0B8BC33D25BF,SHA256=FF99D4B7FB56CAD63221A6DB3964A32D68B5E98CAA0585ACEA75024E8AE7660C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.472{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C997D80EF90ECD0E62A5661AEEA457,SHA256=25B616001561D217DDE1C6FC01412BB0A504208867508D66C57543EB553FC6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.923{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.739{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDA5BDD78189FEF32D21AFF939609B8,SHA256=536E65605F92BECBFB7A107767BB90DFB3B80269E771E53E833BA5FC3ACA8DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:52.488{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BFAFEB67557111E1272FA6B12C9D2D,SHA256=18D61CF34FA7966AF8FEF3F7DB82562DA68F1CE912B4D1426674041647343620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:53.756{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECA2C39F26978FCECF9CA415B3C2F54,SHA256=65A952CAF1CEAE13D62A4EB486C1A56826EA3EFD4ADDFCA230A2A2A7ADA28794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:53.504{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B98A5620F3231D64E362B34F2F1463,SHA256=A2F1959D4E06B77796FA8FE7B195641B8C0511F205F6317C792C408C77857873,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.127{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65323-false10.0.1.12-8000- 354300x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:50.905{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:54.776{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488074849EC4976FBFB1134FB1DD551F,SHA256=E39ED173B1BDB27B7C4E9A894B25854D2D99668BEE94296A3294FF26A748E7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:54.504{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B149486E312F73545034A9E3B5310AD8,SHA256=63A1AB2B30AD80F9659D87CBBB33712AD8D0FC395DD438D0C5AD9514CAB9A3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:55.806{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A530D152E38DF148122C8B72F668326F,SHA256=9738C1E1CC993DE17AB6B34B2748B2A1A25CB5B828DC13F6B85C8C7BD4FD04D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:55.519{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3182D57E80429C16F79D6079AC8884C3,SHA256=4A5F256626395F06215C7CB5557B0CAE6DDF85264BC7AE0545E3551A82A02C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:55.154{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D322E4BCB7AB372E5CD6367E3641C656,SHA256=83B95CE4C5D505C6458A624EA41E8DEFF33D5FBC2383BE7259E4C5DB2F7A9D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:56.821{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6668D9FD06108A3656FC8977AAA966,SHA256=2ECB3C480EBA505E3071B3C9F4C78717FA294C0A9C056740531532F56297BB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:56.535{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E6C1CF0FEC9FE9786AE7B3FA2C7B5D,SHA256=1082180789ACF009F7E11F4DF5AE029458B847779F8CBAFD71DAB297C35F0783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:57.550{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B122D9C1E3D3F73385CF795D84F5041,SHA256=8C14FD15B465A5A00FE530363E9A4A627BE55861AEC543297B38852616629ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:57.836{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF2E0AD14CB79A28453CFBFF10227FD,SHA256=1EEC6E5F57D5EC1AFC69A60E1A046E93677AF2E5120D2A0B71629A60B17976E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.858{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C396CBD47CAE8EE8018E991EC0DC79,SHA256=B6E4DDBA87439303FFCE3DC604788D0A7F074044A0B8E1613DA9DF6226ADABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:58.566{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4479414662B7F966407010060FC27C0E,SHA256=6375B7791CE25C58A36AEECE732917A039991B37FCB27417699B09722AF55061,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:56.061{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.239{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=0C09D651A02F13E2D4349CBADEC3065D,SHA256=F2840D7278F64A6D40D290A3486F72A9EECD6B305440FA597C84843CA487ED63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:59.877{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3C54FFFD21DA251D6D621FF7A4EFE,SHA256=4F3E507D0E395BBB5000421CCA2AE50B3780369D4F0B499864B6286918228C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:59.582{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C0BF94870145881CAB84987B1B51AC,SHA256=5C616F933B3DDBE8C0BD45E134FB322B1DC82A0515116B3D5011663E6DD39336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65324-false10.0.1.12-8000- 23542300x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:00.892{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2A36E1619304CA1505012FF30B6796,SHA256=64AFC9ED1AB845D4E6B72FA58927C0CB05EFF65C22601F1F3DBCC3852867BCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:00.588{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898AED636238729D90D11FA0D06F9F28,SHA256=C802B3602E0D9255C3AD5965940A152DA7284B8930EE3BE401476412E8EE19B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:01.588{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D54BD1777E015952EC3EA149BAA4DE,SHA256=041F09BFF49B30170D457EE4EB90DD7767A110B6AE8D5365FE91B3A3A43C401F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:01.908{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE61532E9DF5EC881EDAE4FA31CD1E60,SHA256=D10D290BE7314C4AA1003D3D03D2175FE785785A4F3EA2943D885BC085F60347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:02.603{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487020A54D34AA7442B36709DF7A43D1,SHA256=4FE90CC3DC345AC86328E72CC55D5E25385FF115E7032015ED9A65C72CBC5992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:02.923{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:02.196{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-073MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:03.650{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5904D75FE4AA230CDC7C45CFCE2A6618,SHA256=535F0EA22D8C2CC00AD790076031AD7CFC8E358751390EFA3ACF33EEC8C86312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.924{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C535EB2FD12DC34537C63AA37814BA5F,SHA256=265003A5895FFA829592F734B7DB687A495F4C86A6AA22A0B9C9F90D6C6ABAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.254{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=59579D10E50FBA2EAA626B453E094926,SHA256=B2953E34E35457091324725154128AF92879F26264029B5FE63BB009C218C489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.209{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:04.938{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69DC7C2D6E6A32418A194290E4A7804,SHA256=5199BCCE59A1ADE0DD860FD3B93BA8F4DBACF1CFC3B9973C35EB8E85128818C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:04.838{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9840A701AE44BE4CEEC1AC283345D3F,SHA256=E9BB725A3F8B8F9ADC6CE98AC601B2D30260E2687DEC397B1BEF92CC8DB2AA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:01.927{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:05.956{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0211779DA43B5E077483ACB91801AC03,SHA256=4AF79B9E1B1DE2AA832CA8DA648D61B72894C0F07F9AAC8AA27C3584265AAF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:05.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98938DB8A2A6D0455C7993E041E9BD9B,SHA256=27732D1D456583010FB50B819857D4B015A42AA2632ECCFFBDF239D163440E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:04.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65325-false10.0.1.12-8000- 23542300x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:06.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E459FE623042D8E45ED0AF2F01CB41BC,SHA256=843D21304D48DCD5F0C77771F5A4B5CDDCEA4C05756B799BDC0ACE4666AFDE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:06.974{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95F0D527966919A321396E9F16009F0,SHA256=C1F6442ACB5D4C891002A84ED91C6900F3F207AD0EB7CBB643BB9946A6CC7AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.900{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4C1A0E4B968915989F55ADC45EA9DC,SHA256=504BF2BF618D3B57F2642E38AD20B5D88DE947F3FDC2F79757275C0DBD5185BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:07.989{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EA5FBEB71D7BA8CCB05B9BE0FEA426,SHA256=CD3E20EA030B74093056C1586F3F31B94490392537FD75873394E0E4F14BC593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.900{0B31F0A7-449C-621F-9505-000000003702}11801340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.745{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.974{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AFE49331C5DAF946B3ABC0669338AE,SHA256=DCBF912D0950196081DD9041A929E0CE74EDA38929259AF3EA8E8487238A3F8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.340{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456AA815CE228E8E0980AFE02BD44588,SHA256=85057C542BC3520C448057F4044099BF81A0E653EF3A8F32FA41929FA7470300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0275BEE8F58EF5F80521DD00304B7F5D,SHA256=F71A474D98E2CD3755352257A5A98D8F225C9AD73A3D837746B2710397A60A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:09.004{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A800348A4C71376E0D73F0AEB517480C,SHA256=5C1FFEF976EB403EEF330730284C7C5FED72DF26273A153F984FA4C226844B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.541{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040F081D855C8A0FAE2D93E1B57B7CC7,SHA256=B32A54EAB6ED857FD54CF39E8D50C714B076D62A81169FF66EAF1730CBF99A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.385{0B31F0A7-449E-621F-9705-000000003702}30323420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:09.177{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65326-false10.0.1.12-8000- 23542300x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:10.020{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABBDABF889E45B6261E1115FE2F94A2,SHA256=18A8286A2D6AC7011E21E23D4BB051E1A706773B7E38D560432BEB03F4A69DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.369{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AFE49331C5DAF946B3ABC0669338AE,SHA256=DCBF912D0950196081DD9041A929E0CE74EDA38929259AF3EA8E8487238A3F8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.245{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:11.603{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918CE329314D0C44E56CC4FEF154191F,SHA256=FA2C250409393CC7CAD2C8120EC11F9C1EE0DE67F63D46CF76247F74BFE08180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:11.024{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2DE79A90E0B34C3163A2D2D4F62F2D,SHA256=A995F8FB1EF98953814A7D23FE0BEBF1224CA1E520D4A9A78D2E2929DE489D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.822{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECE54E501FACAC199A3AF5143B7E0DB,SHA256=5A2D2E14C5F16ED6F81B497EC1CF64E600CECF56F0491DE5DD07495C685FC52C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.791{0B31F0A7-44A0-621F-9905-000000003702}29323776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:12.039{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEDEAE0B876454CA867F459E29E45F8,SHA256=22514D0B5DDEF93ACB3757F4EF3A719749039203F23F277B3BA141462590D2F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.620{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.431{0B31F0A7-44A0-621F-9805-000000003702}36723504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.120{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.806{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12C4309F008EB33613626AEFBEFA28,SHA256=CC534398A54F5585311C168BFD121EEB5A3FAA0A5ED634FBB5D61C250DA3BB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.182{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.135{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DAC144A68CB0BCBE4646C4AF8CCB26E,SHA256=37C2BA75E5497831A3BC0DA0BBC2190F559723CF9B8B93ABDEB6C564738369AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:13.041{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B37A6FCD6F7BEE7671165B50249181,SHA256=AE366B8E0A2869C0E29D89A43F1AABC6142F8521A1FD72552218E2C4558708F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E286B75300780720A2EFA09E41C6,SHA256=C9191A32B776FCF43E77532627AD41CC7D9D4A5C5FCACCB0EAF913BE9DA9371B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:14.042{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FA73F05A449CC63437C0E53B2CFC40,SHA256=2324157211711806A8E2D4B600C9976AC92688341BBA029BEA434958BBC24CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.197{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5940F6E4875B9B0A47337A64EB722CD4,SHA256=35CA3972225BDB71626CB02ECE78E46A416FFFEB6E769778FACA50C54953828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:15.900{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9360EF2E57B23108296C519BEA56DA48,SHA256=77E769F10A679AF0784A531C3CD87B44F47CAD59F63D28241C7056F509A5964C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:15.043{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA38EAD483B3559AF5E52A5DBEF761,SHA256=03AD7C3D0CDB6141E0960D5DAA09BCF8A647670C0DE2C89062074341AD7096FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.020{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:16.931{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533B03711CC354DE2857CD984A8072C0,SHA256=74312C05EB7BFC60D8DE3F1A9541689058F7B072CAF4AC2959F1633DEF0B1970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:16.061{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22295860800C21BB39AAC4AF46FA483F,SHA256=7B8B58943C414D6CC6AEC141CB70138C14F2D5BE513CD40B8B02D8FEF9B346C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:17.947{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB012BCF18BC134FBAC59ABFD14E23C,SHA256=860641197EA8D396F2563F1C54626575258D3CD22D0B8D387973E086F6082BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:15.102{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65327-false10.0.1.12-8000- 23542300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:17.081{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE58F2CE1CFA3C27A55C6729BB731B3,SHA256=07B537E83ADD44F1593AF4CD4471CBCA30D1BD34C54844F4C51F5E3A9E7B5082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:18.995{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C22B1790C6692A1DDDACBEEB3554F81,SHA256=963CF1C0F884516D7707176A818D3A0160C3350FE54C68033EE7434C4704F578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:18.112{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF575F0A30F60069F4AB5454EC35C16,SHA256=45D92D372EE73EB0AFC4B703DAC3123DB9E54A6C57870720217B44079726936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:19.142{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1548365F72D72833AE55576E1CD21518,SHA256=883F9F7784141EB236392AC5B83CA1D72DC4B28096300EC763AC3402B904E925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:20.160{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1145DD5E07058426B2D7F57FCAFE89B4,SHA256=99B18D36C82C62D8879FFA365A6D286A895D7EA7F63A7E9F05D6D40BFBF699A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:19.098{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:20.150{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:20.009{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C91FC81BCFC081D37711ACFEDD1E8,SHA256=C2CF47E5AC8EEB1EE34CEC427EEADBF143FC646A6C2B7B967F74924CEBE68535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:21.014{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D8E7C1707476B0268D7F4CB87AA07,SHA256=3D13607072B8FB761A088B51ED90B57B6EB786D1E20D4CD0014F1F9C94B70A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.442{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8501532C4BFE73FEB3130463FB9A76AE,SHA256=4890D5FEB89CC25307FF3A9BD53CF3D2AE46A0084CC544655686EC0A63FAF11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.778{328C47E9-44AA-621F-F207-000000003602}63848028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.601{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.447{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E2880D6F2F37B1574B680E86D43935,SHA256=59887C676F40FA3ED8B3D6C96F56B2579B124B43C098FEE97C1CE6262F46F6FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.447{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26534B5D7C1CCE4416B073D8ED75264E,SHA256=52E5C245A0021210A7048447AC9708B6D12DDB19C3A7054CFD61271BEF2E1359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913667AE2D138ECF3C46611964FDF133,SHA256=9DD387D5063E420FA0FD92297CB436F0CD5AF703D701B0AF4055346FA62B049D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:19.979{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:22.202{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26FBA8063785D254285F0652BD21056,SHA256=EEB1B05BD356B285101824618415343AD1F8885FA05D582D91162FFE599CC82F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.111{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:23.342{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911B407F5A22A2DD797721E504AD8A45,SHA256=35B07BA2A5462B17E0F50BF38333F904A4E39693DDDB46158A9C3C0D2AE319CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.933{328C47E9-44AB-621F-F307-000000003602}6916992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.684{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.682{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.682{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.680{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.631{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E2880D6F2F37B1574B680E86D43935,SHA256=59887C676F40FA3ED8B3D6C96F56B2579B124B43C098FEE97C1CE6262F46F6FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.052{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65328-false10.0.1.12-8000- 23542300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.184{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81DFC18C2D26C7409DB69D130E5C734,SHA256=271022F9BBE494A88D18643B17FEA6099059B308D75520829D13920726C16974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:24.420{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D678228443C193E784CEDD80FFF16238,SHA256=5F307DB2CA9A0137ECD6108A3DD6756DF63AC420C8701B814CB8D39FB2FE127C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:24.701{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291D69587C1E7BB80DB0DAD14569F52E,SHA256=C52907C0931F8A48020EDA42E39EEF14A0AF043B3FA863EE9C66AA1D2E3B86EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:24.202{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F79C809745F7C5767A2191DAAEE478,SHA256=F0CC97CD70D8E9430A55F5C3B5F33F3C8085E853074C47E8361EB20691176B6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.200{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65329-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.200{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65329-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:25.655{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41ED8AD32078BD6647C6B5016890C9,SHA256=91C4E843D7190DF890E98544C60DE457EF81C5B4CC43176261AA5C8EE0F3E971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.764{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.217{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202F26DCBDCC7D74292A2D08BF6FBBD6,SHA256=7214C7448D12843803EA86497E38EBE2D97B2CB6DB10BB1CFFC4A0995D48E00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:26.889{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5520CF49B57222F5ADC03D6652860495,SHA256=05D136CFC04D4E70FA27611BE81EDAA57CFB59DE2336B0319FF5BC94A09085AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00462f77) 13241300x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0x9cf9ba20) 13241300x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1e-0xfebe2220) 13241300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x60828a20) 13241300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00462f77) 13241300x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0x9cf9ba20) 13241300x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1e-0xfebe2220) 13241300x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x60828a20) 23542300x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.778{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69255E0E165D92A4434D01A084DAAD14,SHA256=5BF54FFA7AE4C3EFC13C45C6C3917291E15BD7E31803EFC6BF76FAA4D2C980C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.497{328C47E9-44AE-621F-F507-000000003602}58281588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.264{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.232{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0736C8BEF1A0FDCDAA7F3031ABC7755,SHA256=C4346F561E63027E937B68516CF1EEBE4C8CBB1EC8275B321E3E3BDB998E85F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.085{328C47E9-44AD-621F-F407-000000003602}78686656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.063{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44278C5C489EDB26D5632FBC658DDC6F,SHA256=C705FFEC0D507AA22C16C6249C4D811263508EA69BB2706BE9738BD0D82A2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.047{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=47D65CEB5EDC97828C46FFC639DCA709,SHA256=578BA9A15625A0E3D2A4E9BDC0ECAC0E7E2B380712E21924B2653CDD53AF5F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:27.920{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849671DA75B19A7C53CF869EC64089A7,SHA256=AA9C06150F8D8EC7A37F4E5C0462AA45DA96030CC5AE0FA17661228E30CA6A81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.910{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.247{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D56055E69E8A67E654DDE7269D0AA,SHA256=9FC3998057A8EC715D766AD6F337A490034C36D679363087E2C898637A2017DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:25.041{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:28.936{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF108273F5DE232EFA111E4F9A323964,SHA256=AF79D983164309CB9AB2273EBF57FFEFFCAF6F247CB7027BBC1BB197663E3C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:28.928{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C087069083424C1F508CF243D1BF99,SHA256=3E72FBEE313F33A14BA072650DFE88A457E698D5898C897600D2171E33BE711C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:28.278{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523101E571E0F5932EFBC279B2CF93BB,SHA256=7391D5BD8753A2F6D4D145D86E294B522BBF64046565012D23AA6C39A789A702,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.083{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65330-false10.0.1.12-8000- 23542300x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:29.951{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8F93923DEA7555753C75B62F7ACA45,SHA256=062DF09B64A3F8D618C65456A6841166C0C790B124A60DE4CECC49989FEEEF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.960{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32B8-621F-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.845{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.845{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.292{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECF8A63AF39584AE9F2FEE5D1E5290D,SHA256=0A1C166E372918DDDE7C39873DF22054C82AF6CADBD2DDC6E5A6795B63375A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:30.955{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD573C6E8A87E458F9263D1B8760B9,SHA256=C169B527FDF6F1340E98687A0C9D383AC2A9D4C3BBA7F1486F6DFBBE0ABC17A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:30.891{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:30.307{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482ABC3EC480E687CC2AB19180E0A855,SHA256=51A54D219ED26F26198DBD9E3198A8AB136DA4C4A3FE326CB0DF97D4825F89DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:31.968{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84937EA3491254820AD912395AF8019D,SHA256=86D403C1C31897B684361BD14F4CD983FFF6DF0E4CADE522E980B2DD79336625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:31.325{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81707878A4F6C9D10A3A229EBFD2DB63,SHA256=7955B9322CEB5E994C379FC1BABE6A37CD17935767973C97BA1D25061BA9163D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.938{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65333-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.938{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65333-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.831{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65332-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.831{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65332-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.822{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65331-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.821{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65331-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:31.066{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\respondent-20220302091151-065MD5=430E98715AF7AF3635AF491DD4D57DC0,SHA256=DB5ABDF044C29F4F52A2AE95E41AD07DA17545B9719AB57C70BFA50A5C4AEE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:32.969{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229328E2BBF6CC9798E50A2E0C9C898,SHA256=56964BA9D243FA22DBF3BD903A7F386129069CDFF75B964F7039EF789D03359D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:32.344{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389ECB8A799C42AB1C5557285214487D,SHA256=E6A65F0BE36F97D96A40A63D24A21DF8E8EA6B5F1BEFD2BCF1CE1D1F40B4E2D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:30.087{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:32.078{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\surveyor-20220302091149-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.360{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC05929BDB99FEBB6BB3BD3F7B77A568,SHA256=CB72CF02B5CFE6913066709F7E9DD393FE174C61317998E72000E69378566C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.244{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.100{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65334-false10.0.1.12-8000- 23542300x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:34.375{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F24817C9A2F143214589AA7AD29C325,SHA256=3CA43342C333A258479503B866145E573FC91C1A24C12E777453382D97E01DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:33.985{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BCAA9495A4D51FAAD833471290734E,SHA256=7322B5533787E632CA38B2826E06335FDBA68B564E19AB201958DBEB538B13F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.196{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65335-false10.0.1.12-8089- 23542300x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:35.390{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91D28D8A2FBCBFA0914225DD37E2E47,SHA256=F114AEA337515063E1999717A2DC17409D0BB6A9CA4FDAFE39452EAA2F99FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:35.000{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C66EADB787FE32612E2CB04E2C7757,SHA256=78DB9346474223C956A1D6D4A21C0DB474CE20690DCE30DE81A331AE2A59A796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:36.425{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800A5ED8B423FFD9F731803B439872ED,SHA256=B6C4FE1085F4E8D0E0CEEB96BE0A774A28341F71EDD97207E7BEE88FE9682702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:36.016{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCCBC125B3B354939853A9477C98394,SHA256=FD01E7F4495DB834B8976FCC7F6725AD195D529632CAE340C6E9390F9B2C944C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:37.443{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF08FEFE78DE2969BCFB280D84909E4,SHA256=BE372A5AE20D8D8C50E5CDC274ECE058566E4AF70D296165448D4E5C4ED2FC8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:35.980{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:37.031{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF5E091DE301AC8FE6B73E41C3A29CE,SHA256=BFBFCE86F3C1E48A4AA17CEB55521FADBD6911F5B26EAEF4224C52CC76CA7B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:38.443{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169CEE8AB708210277BF06F5B3ADAAD7,SHA256=33D0BEE7ADCFB20C68C81D70235F0255E53BE253DA2BB3C15DFFA3FC6EA973F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:38.203{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8F04E11554A41E2E8CB32848CD732A,SHA256=F9CBF2740458FED3B215C350ACA14F33EFD3F261A47694C2E36EF40EA60ED34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:39.458{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784AA4DF3B43D7876815A1FDA491AB89,SHA256=63017928BBFA20A57C239FC85F9F51D10C2511F5C208D7368FEA243C42D7583B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:39.360{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBD1C7ABB49C646B90B7087D964E84,SHA256=5A00B2DA611033E8F37808C89420D6EB03913C46FC5DBEB42EE6B09867FCFFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:40.594{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADA374DFB50F6EC96061E779807C0ED,SHA256=5F154A42A7C20BCD4FC4DDFECC6A469B1D3F9933E8C26B1F8D6B8624DE013BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:40.489{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B952E6B7A318257D1D67C51288B90BC3,SHA256=7CA8910A76497EA0C137A45EE41D711B80EF6A68F52D87963951FEB9969D9DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:38.147{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65336-false10.0.1.12-8000- 23542300x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:41.598{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F86BBEC99BCFBA1FD04FB4221C96216,SHA256=7E7A6CC799873FF5EEAD6CAA4AAE155A9772E6845B676D9AB539A61DC30A6A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.704{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0644D4F24A7B4A086D23CBE3EB5ADB5,SHA256=DE7661334F37A2AC139C6D46FEBBF1E388F4DD05BA58D94A7B98A9A63D9FA9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.704{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89FA1C8FC7EEB9E7C3D8A2DE0D1FA8C8,SHA256=D4004997A3BB9D495C277B12E10314029F0333C63B54E281CA9EFB50A231F9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.505{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E59964C9C739E576191FFEC5D7E0494,SHA256=C77476EAD2EC63BD49C61A2477B1234573CD0963D1871CAD4AEC7AABB3A9C83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:42.817{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3AC00E4EF1269E73BC7A848724AFFC,SHA256=6259EFFC479D0316AB020D91B3831098AA6B3B5F7FCFC9ACAE090DB337013B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:42.522{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4CBBD29E5B8B6D62D9965630CBCED2,SHA256=CFBA412945A649DE155FAE2292FDC104FF10BB22826383058533CFDC6C42E2E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:41.031{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:43.542{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89D72C37E47FB1C117203DC05AF7CF,SHA256=CE3ECD4BAFB3F8E4FAB5ED5E3E126ED73493C5204CD79DB0FC0344E929B37396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:44.556{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F2B8F303F05DAA1EE88C475D05CB9B,SHA256=BBD617319DD1F393ED9F5FD3B7FB6954C15D809D279AFE5E6F2C7110C8CEF23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:44.051{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06F2B0F0D9E723CA58CF9DD014E863E,SHA256=168032AE34BF71D6F32DE6A30E563A5B08BD398AF0C474DE27A99C09F340D7AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:44.046{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65337-false10.0.1.12-8000- 23542300x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:45.572{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA61F3A476669190BB87E57B2EAC29A1,SHA256=3895441775B8342C6E5F99315CC1B2F99F84F310098A2AD12408F09ADA3E4BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:45.129{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69DAAC2338094E40072CB808658504,SHA256=249DEA1F161321DBB577AF41AF7B41BEA5DACCAC13A17E6315D84F724457B241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:46.587{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2D3FDE6E76C659863F2F69E91BD516,SHA256=F4F815478FE748968B33FB52252C9177D76E6F3779079B516041419C5909CAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:46.145{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162D2F6327AB2B56298D02A7758AEC91,SHA256=AB3F1DBB46EE557957787BD06A542CAC289B41FEC7709E89AD97D87DE180F470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:47.587{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF04E7B965A4BCF443D5276011AF2982,SHA256=1CD910C5F2A0271F1CD2ED6FE6D1E867C390A649AD2B37B3FFA50C662A8736E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:47.587{328C47E9-32BD-621F-0D00-000000003602}8844108C:\Windows\system32\svchost.exe{328C47E9-38F7-621F-2206-000000003602}3556C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:47.145{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4CAD484D50153985AE8BC45571640A,SHA256=81F0ACEC356A1496D64937C02597A5D041BC66DB6B3CD908D4D9594223ADC3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:48.621{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2136CCC6243A025CF94E0FCD71A72D9C,SHA256=3C97BF1342DA20CC576F31B2F5C4E85D1CC18B8C8747351E258CD373D5A85D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:48.160{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04207719428BB384F3DBAFD89979E8D4,SHA256=9A4079D4FA725D4CD66DF26C5E9EA9FEAC9C53695CD21E194F641D286492A9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:49.640{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D5AFF849A641C3F9EE34908B31B6EC,SHA256=3F96150886FE317A97D589970A09BCD59C9460E67FC784CD188D72FD7D49328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:49.254{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7925307C1FBDD87CA0258FD23F2E1EA4,SHA256=BE90F88B2489302B069B09416C8B2D2FBED2CD9DBFE5FA30FEF03625E678ACF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:49.176{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19F118A42155881C0A1D125172DD508,SHA256=C80926394D788AF6FEE3772418D78C8D1ACAA2DBF03F252B4713C67A96B95A49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:46.984{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:50.654{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE950C09288E77FA6823677D108A28D2,SHA256=D0D5D9EE55B42E8521429EB9D062573A9D553A3E3E89FE9A6AB04486427E90BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:50.192{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE43F860D378AC1AB2A5D05687A21876,SHA256=50307AE57DB63FD0D651B04B257F85D3D9746029FF63016C64A690121F7C6C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:49.076{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65338-false10.0.1.12-8000- 23542300x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:51.655{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BADE8CDBCB00F18E308CE160287DBD,SHA256=67B350EC8A4B9238EBA61F90778187A5850E2EDE948EB4D153C44A7AB70C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:51.207{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22ACDB479D9ACAE777D8E5DC1D95568,SHA256=B9C9C80D449F2C3E4EC551BA169660BA0630D46EEA0AC1676920EEF6EDF0B0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:52.670{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B328CF101FA69793FB7007FF50558AB,SHA256=F5F0EB67ACB8A49B5A8F7A7CFDB671CDD0737D2889C5C2E9F1571748AA16288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:52.223{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B031CD4E4A6583743A8C25688D38C272,SHA256=BF8996873B343E3EA6F6D90854D0A209123C552965B82AF705237144EF21BDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:53.685{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66820EDB8EF5D9799CE2E748218CDC31,SHA256=5D5C95542DF9AEFBDE41FC4BAEB111DDCDC0ECC3DFBF8D5921321BF6BF0F9142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:53.239{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEFFD826F81D06AE0905F417531E662,SHA256=8BDA69696CCCD6576F2021423670117810F95F82FB688BEC0CE2D022E772B301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:54.700{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9539700EC736D8636A1765F6DFBCA,SHA256=1C40956F206FE7B6C18EFD7537539BC4694560FC0146637BC7114135D6E5574B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:54.254{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0C04E1B858D7A97B2BE079834E262,SHA256=66F0630439D4E10C69FFD62EF68353C9274A40D2BD68B8590990C9B4B808DC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:52.000{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.702{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F8B363603CEFCBB1D18BFF8E94E24,SHA256=4200EFE0DEDC713FAA09A52279814B2153CF8131C4888C591501DFBA081D082D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:55.254{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA1EBB97EDD50AFC5F21B1E053399D3,SHA256=F821DBEE46CED2098638BD80CBA587C2488A5303194538662F2F4D54146388B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.155{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=466710C4297FA6904FC376C58D0658DC,SHA256=14C34DB3EF40912578AD86C6D1CB60A9C4D4FA634E643904529A04A667B4B7FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.044{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65339-false10.0.1.12-8000- 23542300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:56.709{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E817016CC6EB84506343669BACFF08,SHA256=5A718B4A74BF30DA0DCDB2D2809416860FC8CD4DFD248C05E27920B7C7C1A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:56.270{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C420D74E456736C616C85B38E782F96,SHA256=F461FE147B75E724E66F73B277A0ACA582A5E9C90C0075868CE64643E05C85F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.957{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA886.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.942{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.895{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA845.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.894{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA835.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.841{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA805.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32BB-621F-0A00-000000003602}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.726{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDC98E9A1C16F83E945501A54854053,SHA256=AA0371DB3046312AA94F089621707CAADA6D50656300DD924A1494DE81B1AB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:57.270{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CB2B3033E0D287A3BD2EF4891972CF,SHA256=EC94A683913D376D9D1FBD9F2F510755E3420CD5CA1875F4DC5FEED575C262D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.655{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.524{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\Administrator\AppData\Local\Temp\BRL000015bc\BRA6CA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.491{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.491{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.392{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AF2A6F93BE2FFA606B49DB448AF1C5,SHA256=9EE516405480244678FB24800E99A1CD9F4FE112259C5EFE8228B8FD04A2A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.392{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0644D4F24A7B4A086D23CBE3EB5ADB5,SHA256=DE7661334F37A2AC139C6D46FEBBF1E388F4DD05BA58D94A7B98A9A63D9FA9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.388{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.388{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\BinProductVersion7.6.0.0 13241300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\LinkDate08/13/2020 16:54:32 13241300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\Publisherhex-rays sa 13241300x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\LowerCaseLongPathc:\temp\idafree76_windows.exe 13241300x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDBSetValue2022-03-02 10:19:57.275{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\idafree76_windows.exeBinary Data 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.259{328C47E9-32BE-621F-1300-000000003602}9561256C:\Windows\System32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.259{328C47E9-32BE-621F-1300-000000003602}9561256C:\Windows\System32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.255{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.254{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.254{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-38F8-621F-2E06-000000003602}23087676C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:56.373{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe1.0.0.0-IDA Freeware and Hex-Rays Decompilers (x64) 7.6Hex-Rays SAsetup.exe"C:\Temp\idafree76_windows.exe" C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=C98212F18747BA286527C851B9E88858,SHA256=2ECC5B2F5329C4E7A4243634801180BE38A397C31A330324C8ABC605F5DFFB9E,IMPHASH=F3DE104AB04CA2D874306D1847BE46DB{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.993{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC94.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.975{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC74.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.959{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC73.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.959{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC72.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.892{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC23.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.881{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC22.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.818{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.817{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.736{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FB3722B61EC2FDE2ED6957E9EB3F3B,SHA256=D0F27D3BD43969898F12CF7A64CCB07615E641EE9D182165F4AFE66E115260CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:58.285{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D33596605A40424C174F390A456150A,SHA256=5D589535C3EED5950862F7C712629BB14512D3DA70CD8D09B15C9D5F0C6A19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.287{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E364D795E13FE7D27E22DBF4B6F67E01,SHA256=BD20CD555F825A6A6A6D9048D808C017FA1341AE00442ACF724038BE38653BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.287{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44278C5C489EDB26D5632FBC658DDC6F,SHA256=C705FFEC0D507AA22C16C6249C4D811263508EA69BB2706BE9738BD0D82A2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.276{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA9B0.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.776{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63393- 354300x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.758{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65341-false104.18.30.182-80http 354300x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.731{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65340-false104.18.31.182-80http 354300x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.727{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local64156- 23542300x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.743{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F0EB3ABDBA769DBCC801D4C44FCB5C,SHA256=F0787E87659ACEBDE2B12BE860AC7220B261629771AFD72319B6916AECD8EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:59.301{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D3AF873F4F717A266FCEE130CF48AA,SHA256=1E5EF43194BBE0DD2CC7627C239AF8B2CF68F0E44F916729E30A4C05759D2BF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.474{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.474{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.059{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:57.093{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.780{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65342-false104.18.31.182-80http 23542300x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.743{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923AAAABF05CCFDC3724BF333C8DCC6B,SHA256=95933A4ECE4C6918954914448626B5266AF27C98D7CC152DAD28A4DEDF27B426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:00.317{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F13D827302449836CA84D7B2E4C1CB,SHA256=DD7CD5F5DCFBC12B9B4A7C22773E81D025E6BB56AFD7D11F9123F767BDCA6872,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.676{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txt2022-03-02 09:45:00.595 23542300x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.676{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txtMD5=59069D13E73B745F6D9529B2480DF1DF,SHA256=37DCC217A0C436293BDA1E38EF295E5821454003469980CBE64C5A4F0CD881D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:01.745{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5173FD97BE9176999A42EEB241F0933D,SHA256=8639C39BEF344B535CE3AFB884CF067C663BF86682BF98BEE66EA5729723DD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:01.357{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03882D2BA7C7D5F132DFA68C9CB46D0,SHA256=5E3B18245CC813FDD7BE30052FAEFFBAB1425771428CED65D979425EA2A16C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:01.064{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65343-false10.0.1.12-8000- 23542300x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.760{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B32B5F5B7C613C7D7425E6C5E3BEE8,SHA256=B7770669CD26956F4A10BCB4B13B9984FD175B89E0D712BEDE046C5CE6EEF8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:02.592{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34049CFCC435C4D1D9A6FFE02502D1B3,SHA256=9B6DFA40AEBB52DC09166ED5591AAA4F949CB1DADF1B4F0D43DF61EF58B30B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF46ba72.TMPMD5=D5F6B777ADEFB28682290A3936AE0977,SHA256=B36332BCD52C7798F89CD1708B921A7A0EC7D94EE22121596F5A118680A5259A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:03.639{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFE560D331453ABEA4E871D703D0735,SHA256=10AB605A95417E9746887C5D3244F53FB88421157187C7F9CC55FCE3D01E4C37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.976{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\clp64.dll2022-03-02 10:20:03.976 11241100x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.961{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\libdwarf.dll2022-03-02 10:20:03.961 11241100x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.961{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5PrintSupport.dll2022-03-02 10:20:03.961 11241100x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.861{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Core.dll2022-03-02 10:20:03.861 11241100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.845{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\idahelp.chm2022-03-02 10:20:03.845 23542300x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.761{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7B0B7BE5F2467F476F2CA1BB27B768,SHA256=44E6C17675AE18B3000BB9C0B896770ABF26F2A82CF3CC5876C38BC63823D102,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.734{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Widgets.dll2022-03-02 10:20:03.734 23542300x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.733{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-074MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.613{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Gui.dll2022-03-02 10:20:03.613 11241100x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.545{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\tds64.dll2022-03-02 10:20:03.545 11241100x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.545{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\bdescr64.dll2022-03-02 10:20:03.545 11241100x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.529{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\license.txt2022-03-02 10:20:03.529 11241100x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.513{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\objc64.dll2022-03-02 10:20:03.513 11241100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.513{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\win32_user64.dll2022-03-02 10:20:03.497 11241100x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.497{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\golang64.dll2022-03-02 10:20:03.497 11241100x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.497{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\dbg64.dll2022-03-02 10:20:03.497 11241100x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.491{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\pe64.dll2022-03-02 10:20:03.476 23542300x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:04.873{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797B0F89333CA16CE3D0F171CDF0793C,SHA256=5B78CF0FBF6B7ECCEB956B14478D535533C84AD9C13A45C4F4F0EE62D7F318C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.776{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FBAF55D4567FB54C43744470CA726F,SHA256=2BE9AC067015CC4FF38CC45757ACCB2C4B8444E362FB7B246B59314C5BDD2F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.156{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53835- 354300x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:02.868{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.730{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-38F4-621F-1506-000000003602}39482168C:\Windows\system32\csrss.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\idafree76_windows.exe+117d59 154100x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.664{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exeC:\Windows\SYSTEM32\netsh.exe advfirewall firewall show rule "name=\"IDA" Freeware\"C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe"C:\Temp\idafree76_windows.exe" 10341000x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.477{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\platforms\qwindows.dll2022-03-02 10:20:04.477 11241100x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.277{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\dwarf64.dll2022-03-02 10:20:04.277 11241100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.261{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\pdb64.dll2022-03-02 10:20:04.261 11241100x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.199{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\hexx64.dll2022-03-02 10:20:04.199 11241100x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.177{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\macho64.dll2022-03-02 10:20:04.177 11241100x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.161{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\elf64.dll2022-03-02 10:20:04.161 11241100x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.146{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\procs\pc64.dll2022-03-02 10:20:04.146 11241100x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:20:04.076{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\ida64.exe2022-03-02 10:20:04.076 11241100x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.014{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\ida64.dll2022-03-02 10:20:04.014 13241300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000009c4) 13241300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{E52026B6-6DAE-4512-9205-0550734842C0}v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files\IDA Freeware 7.6\ida64.exe|Name=IDA Freeware| 10341000x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}11766204C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.881{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.881{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\idafree76_windows.exe+117d59 154100x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.832{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exeC:\Windows\SYSTEM32\netsh.exe advfirewall firewall add rule "name=\"IDA" Freeware\" "dir=in" "action=allow" "program=\"C:\Program" Files\IDA Freeware 7.6\ida64.exe\"C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe"C:\Temp\idafree76_windows.exe" 10341000x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.797{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1EACEDB6F6AEA3E3D6A29708CAD485,SHA256=3405D995948D74752BF8EDA5427FB51B1B81A759ACA513A1A8F4D6B911229099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.678{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C800793EDA5F7F9A87E6639DE8A0DA,SHA256=44C50040CE6FCD8CD38ADDBD896152F493A713799C9B55B309A56F0A6363F783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.677{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AF2A6F93BE2FFA606B49DB448AF1C5,SHA256=9EE516405480244678FB24800E99A1CD9F4FE112259C5EFE8228B8FD04A2A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.527{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A7261855CB5A669A50A7D30F9B1EDD7,SHA256=6ED31E6B226AF0F2ED3128A94D1515F1CAE7DD0486BE40B6A6DCD8FFBFC6139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.527{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E364D795E13FE7D27E22DBF4B6F67E01,SHA256=BD20CD555F825A6A6A6D9048D808C017FA1341AE00442ACF724038BE38653BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.427{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.427{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:06.107{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8487B0912E3449F919C43383DBE72614,SHA256=BE487452B59836DCE6EFB2A1984D4425542C45D056D0883F54791309A4621AC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.981{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:06.981 10341000x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 23542300x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.814{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032112F22CF12BF249D92D97682CBC6,SHA256=621B14296909DCFD8D625A6B63973D473C0ADF37E06F10D3242C620D33639D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.612{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1a176c(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1a175e(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1a175e(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 11241100x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.480{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\IDA Freeware.lnk2022-03-02 10:20:06.480 11241100x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.396{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.62022-03-02 10:20:06.396 11241100x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\uninstall.exe2022-03-02 10:20:06.380 13241300x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\DisableExceptionChainValidationDWORD (0x00000000) 13241300x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\DisableExceptionChainValidationDWORD (0x00000000) 13241300x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.376{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\MitigationOptionsDWORD (0x00000100) 13241300x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.375{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\MitigationOptionsDWORD (0x00000100) 13241300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\CWDIllegalInDllSearchDWORD (0xffffffff) 13241300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\CWDIllegalInDllSearchDWORD (0xffffffff) 13241300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1042SetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKCR\IDApro.Database64\shell\open\command\(Default)"C:\Program Files\IDA Freeware 7.6\ida64.exe" "%%1" 13241300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1042SetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKCR\WinGraph.File\shell\open\command\(Default)"C:\Program Files\IDA Freeware 7.6\wingraph32.exe" "%%1" 23542300x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.838{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D36884FD19EF6C515DC21031D48D7C4,SHA256=9BDB665467F170F513454DC91493120AACFBA6E1E45CD371A8DE294471DD0FCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.952{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.342{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D00CCB6408766CA5337B692D39F35BF,SHA256=EAE426437286B8F2F2655EE9EE205833A4416E70F6B97BD6E8DC4817DC67804A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.727{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.727{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.714{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.701{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.696{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.695{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1914465AC58C038DB20BD6D0F7D41,SHA256=CB44F8F1CD4A13BCAEFD22F273B8199CE77DDAA49005E6C5B0F72CEA147E85EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnk2022-03-02 10:20:07.097 23542300x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnkMD5=DE9B4A0194905741C5115BC474BAF2AD,SHA256=32DE2763C463598CCDC2A8E0EE4F619EE2C3CE51BB77481CB1A884E2AD28D44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 23542300x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C800793EDA5F7F9A87E6639DE8A0DA,SHA256=44C50040CE6FCD8CD38ADDBD896152F493A713799C9B55B309A56F0A6363F783,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.097{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnk2022-03-02 10:20:07.097 10341000x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:07.044 23542300x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnkMD5=2659E5B52939237A7A24A88CB1B48A77,SHA256=4D99CFFF703C7374FB8A7EF1BFF9A0776301F267A84C4D7F7C4E642BEC01538F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 11241100x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:07.044 10341000x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.028{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:06.981 23542300x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnkMD5=5EA8E5863934A21D48B5696FC50941C3,SHA256=98353079958FFD4FE7556066ACCD5BE37C26BE60E6FF47CD3930A6A972E5B13D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 354300x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.070{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65344-false10.0.1.12-8000- 23542300x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:08.857{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D862D36D2579C40660E1B11D4C40A4EA,SHA256=AD75159D19FDC944664EC426D2385BBA7AD15A7D4AE48A10EB0D6A059CFFA0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.967{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC439406B83B67131E580060AF9808E,SHA256=13AF48E1DAF611CFA3BB1F2557740FD198B905869AA7054385ACD6F47D30F413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.967{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DD9F9F0189AF9BF69B7BF853F86FF4,SHA256=C67B61CD62DB0A33A2D4A28FE32A4A831A0C1A1FE2C457839784291A56D0EC59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.904{0B31F0A7-44D8-621F-9C05-000000003702}6563664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.733{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.422{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0D2C4BD32C3890E792B268D28C2139,SHA256=690C874379683E5DAAB2B159B0F04D456FE9129CD9CD283749F8AAFDBD1B3B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:08.766{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C9BC83AB106AC63F5CA35B5A02AC9E,SHA256=0FD50E1214204D8F3B1C7AF7CF98C868B9D9CE90E7406AE62948E41B5D2B485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:09.863{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF91B058D36A9BFDAAC63A3C095EBB,SHA256=901D31C5BA8BA35A2CF4EB5612211F082D0CD0D6DAE827F2EF2CCEA19A700363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.701{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D092663C3DA15FDD169A0EDEA92618,SHA256=4631977B69289A46F732B604192105EE4E8163B2592EC50444E05F5C7444750E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:09.022{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Freeware and Hex-Rays Decompilers (x64) 7.6\PublisherHex-Rays SA 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D9-621F-9D05-000000003702}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44D9-621F-9D05-000000003702}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44D9-621F-9D05-000000003702}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.405{0B31F0A7-44D9-621F-9D05-000000003702}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.888{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD598D85A903D68275BB04ABE9FFA442,SHA256=52E47249C96153EF94BAA654846E752BD9FB1DE2659EED971499811A3F3D98E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.920{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111D8329D4331B5A2701ACBC1C59F07B,SHA256=B09DC7000BEB6F08F32DC15FE34A5E3487E686974FA0B44B34FA3CAEC111C433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.489{328C47E9-38F8-621F-2E06-000000003602}2308ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=AF58E861359513C3CAC5D2105A0C1826,SHA256=6123C7459DF5D0D1D734FC618FC3531078B10378115191D2798F11711973E843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.298{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.298{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.288{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:10.288{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 13241300x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:10.169{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{970ebd9b-04a6-1928-bb01-f6e4c104d073}\Root\InventoryApplicationFile\ida64.exe|351c3be5c912654f\BinProductVersion7.6.21.526 13241300x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:10.169{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{970ebd9b-04a6-1928-bb01-f6e4c104d073}\Root\InventoryApplicationFile\ida64.exe|351c3be5c912654f\LinkDate06/13/1992 07:32:23 13241300x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:10.169{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{970ebd9b-04a6-1928-bb01-f6e4c104d073}\Root\InventoryApplicationFile\ida64.exe|351c3be5c912654f\Publisherhex-rays sa 13241300x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:10.169{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{970ebd9b-04a6-1928-bb01-f6e4c104d073}\Root\InventoryApplicationFile\ida64.exe|351c3be5c912654f\LowerCaseLongPathc:\program files\ida freeware 7.6\ida64.exe 13241300x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:10.167{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{970ebd9b-04a6-1928-bb01-f6e4c104d073}\Root\InventoryApplication\0000ff75f657ee1ab87c616ddc31608783c50000ffff\PublisherHex-Rays SA 354300x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.087{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.435{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC439406B83B67131E580060AF9808E,SHA256=13AF48E1DAF611CFA3BB1F2557740FD198B905869AA7054385ACD6F47D30F413,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.389{0B31F0A7-44DA-621F-9E05-000000003702}24441892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44DA-621F-9E05-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44DA-621F-9E05-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.232{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44DA-621F-9E05-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:10.233{0B31F0A7-44DA-621F-9E05-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:11.903{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC5F9DE06771DF210B61241F047B31,SHA256=6CDF64674F625FB9D7D0DFFE3B03E6BA8D9936F43B6ACD4DE83A1F89CE9717B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:11.951{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BBA5AAC2489338CB92813D44FBE208,SHA256=485ED455C7E6886102A4CFB615C9F131392F5F988B0C4CDC16983569BF4CE358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:12.934{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E15AE88F2304AC7E9E3A40D72EAA7D1,SHA256=B62E7320B81970324DAC2CF0372C3C7ED7EA6982543DB3522A7C47C1308440C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.920{0B31F0A7-44DC-621F-A005-000000003702}32163100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44DC-621F-A005-000000003702}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44DC-621F-A005-000000003702}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.748{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44DC-621F-A005-000000003702}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.749{0B31F0A7-44DC-621F-A005-000000003702}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.279{0B31F0A7-44DC-621F-9F05-000000003702}37962840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44DC-621F-9F05-000000003702}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44DC-621F-9F05-000000003702}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.076{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44DC-621F-9F05-000000003702}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:12.077{0B31F0A7-44DC-621F-9F05-000000003702}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.957{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDB0E5474BBB9DEE494B8B61396929D,SHA256=ED369600BDE628B64A02879AF3735F3E025891D57EBE1602A46297A329D39B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.757{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.588{328C47E9-32BB-621F-0A00-000000003602}6084548C:\Windows\system32\services.exe{328C47E9-44DD-621F-FD07-000000003602}1736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.588{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44DD-621F-FD07-000000003602}1736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44DD-621F-FD07-000000003602}1736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BB-621F-0A00-000000003602}608360C:\Windows\system32\services.exe{328C47E9-44DD-621F-FD07-000000003602}1736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32BB-621F-0A00-000000003602}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.572{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32BB-621F-0A00-000000003602}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:13.535{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:06.981 23542300x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.535{328C47E9-32BE-621F-1300-000000003602}956NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnkMD5=E4AE1D2CE0D86A5CA1D40E9230016742,SHA256=10C448AC8B78A47B78F9F57D810F9AA73D1D950E03E561B75EB3431987A7AE48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.519{328C47E9-44DD-621F-FC07-000000003602}42242692C:\Windows\system32\conhost.exe{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44DD-621F-FC07-000000003602}4224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BE-621F-1300-000000003602}9568060C:\Windows\System32\svchost.exe{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.503{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDBSetValue2022-03-02 10:20:13.488{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\idafree76_windows.exeBinary Data 11241100x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.488{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeC:\Windows\appcompat\Programs\Install\INSTALL_ffff_522ca358-0bab-46b7-a216-201014bde0e5.txt2022-03-02 10:20:13.488 11241100x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.488{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeC:\Windows\appcompat\Programs\Install\INSTALL_0000_522ca358-0bab-46b7-a216-201014bde0e5.txt2022-03-02 10:20:13.488 23542300x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.172{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.172{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=680BB2B0C595C29C0F15975B40F2B00C,SHA256=91615100362784F64885765812F81C63825D753D1D243314B8A1937D409557AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44DD-621F-A105-000000003702}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44DD-621F-A105-000000003702}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.420{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44DD-621F-A105-000000003702}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.421{0B31F0A7-44DD-621F-A105-000000003702}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.217{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6D7F7433A7490F802B2782BD46B6DC,SHA256=E564B6353B1C3F6EE9CFDB976E49B31E10A2F5C7731B11396BD936C15EDD2649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:13.076{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2218B406646518FD894EDFEB308B7124,SHA256=A8AF8B48E70A34BB8E7323C19A9A1C0D5B777272113EC912C7AF1D79F0FCFE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.974{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7494EC9618A6B81C661D3F2AEFD30259,SHA256=06C53865817059383C3054C197B33D4B43E7F82975F59BA97F2A5FA674CC31E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:14.451{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7F7E60683E4F9298400465DA266A42,SHA256=D44A3321A874E3E6A1C535EAD6F6E7A4B2B29A3C6762C039F55D6756F016AE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:14.092{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD29CAA59EFBA7B18DE1FEC51D50BBEE,SHA256=C7E2FE65F3EC41D4FAFD2B705D678D19EADAE1FCF3052C4B8387DEE48DA55313,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:14.905{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00003312f700c3d03614c2c9f93e32df9af300000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.674{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F11A6186871EFE84177DC623508C79,SHA256=A33E34AA83AFC066680A6920618C2BBA41630ED33833AE7BEC10C7846A5755E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.605{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6087B9ACC1DEC387BDD3299322220F32,SHA256=EA4DD28B68B070DFBADC124CF320162A86CBB39A3C700707877553958E8776C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A7261855CB5A669A50A7D30F9B1EDD7,SHA256=6ED31E6B226AF0F2ED3128A94D1515F1CAE7DD0486BE40B6A6DCD8FFBFC6139A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.572{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.535{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.535{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37308308076BAD7FBF0728A310D55E76,SHA256=3B4A60336CBC077D6E11945F6D7F8C3EF8E7597BA1B626609BAFAC40F91DC30B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:14.504{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00004ee7114ba1c474f7bbd42f8c9f930b0700000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:14.388{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000068583dc536ea8c3daf81bdbdf12127d400000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 13241300x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:14.272{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000070aa163b48d93a6fb1c459f613fcd65f00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 10341000x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.135{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3C8A-621F-E206-000000003602}4368C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:14.072{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000027bb02f51e48dc3e0db3390b300af68d00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 10341000x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.019{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.003{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.003{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:14.056{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:15.123{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4971ACAA2449918257B3FC6BE1CED7FE,SHA256=58880945DBDF50E56E1B4215906D9D85061031E4D817BD0880631CCD37341F20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.358{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.358{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.358{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.357{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.357{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.357{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.357{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.136{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63303- 13241300x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\BinProductVersion21.7.0.0 13241300x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LinkDate12/26/2021 14:00:00 13241300x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\Publisherigor pavlov 13241300x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LowerCaseLongPathc:\program files\7-zip\uninstall.exe 13241300x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\BinProductVersion21.7.0.0 13241300x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LinkDate12/26/2021 14:00:00 13241300x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\Publisherigor pavlov 13241300x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LowerCaseLongPathc:\program files\7-zip\7zg.exe 13241300x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\BinProductVersion21.7.0.0 13241300x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LinkDate12/26/2021 14:00:00 13241300x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\Publisherigor pavlov 13241300x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LowerCaseLongPathc:\program files\7-zip\7zfm.exe 13241300x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\BinProductVersion21.7.0.0 13241300x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LinkDate12/26/2021 14:00:00 13241300x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\Publisherigor pavlov 13241300x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LowerCaseLongPathc:\program files\7-zip\7z.exe 13241300x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:15.136{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00003942b4a5b0d77eaf8e5449c4887179bc0000ffff\PublisherIgor Pavlov 354300x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:13.076{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65345-false10.0.1.12-8000- 23542300x800000000000000019827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:16.154{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76216D100FBAA522EFA8E476356DE79E,SHA256=D43D5B907613D217F88C9289B9BA766CC1986703C7AD5A684C6012EF2910F486,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.158{328C47E9-3B6C-621F-9E06-000000003602}1620onedscolprdeus08.eastus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.139{328C47E9-3B6C-621F-9E06-000000003602}1620onedscolprdeus08.eastus.cloudapp.azure.com020.42.65.88;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:16.605{328C47E9-38F8-621F-2E06-000000003602}2308ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=897F8F582E57E8B105AE699505F8EE6E,SHA256=9196CEDB3CA7CB8ADD1C5BE2C7F22EBE3805092336A2FF8321B4009F3272FDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.242{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65347-false20.42.65.88-443https 354300x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.224{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65346-false20.42.65.88-443https 354300x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:14.137{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53399- 23542300x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.989{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FB0883E36A10DADBDD6CC5CBE5BE5A,SHA256=ED847A45000B7E04E013910CEB320FC5F3A79A9FD9933B560519388F4E648EEA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\BinProductVersion(Empty) 13241300x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LinkDate01/01/1970 00:00:00 13241300x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\Publisher(Empty) 13241300x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LowerCaseLongPathc:\program files\git\usr\bin\dumpsexp.exe 13241300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\BinProductVersion(Empty) 13241300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LinkDate01/01/1970 00:00:00 13241300x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\Publisher(Empty) 13241300x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LowerCaseLongPathc:\program files\git\usr\bin\du.exe 13241300x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\BinProductVersion(Empty) 13241300x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LinkDate01/01/1970 00:00:00 13241300x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\Publisher(Empty) 13241300x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LowerCaseLongPathc:\program files\git\usr\bin\dos2unix.exe 13241300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\BinProductVersion(Empty) 13241300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LinkDate01/01/1970 00:00:00 13241300x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\Publisher(Empty) 13241300x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LowerCaseLongPathc:\program files\git\usr\bin\dirname.exe 13241300x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\BinProductVersion(Empty) 13241300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LinkDate01/01/1970 00:00:00 13241300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\Publisher(Empty) 13241300x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr.exe 13241300x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\BinProductVersion(Empty) 13241300x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LinkDate01/01/1970 00:00:00 13241300x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\Publisher(Empty) 13241300x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr-client.exe 13241300x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\BinProductVersion(Empty) 13241300x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LinkDate01/01/1970 00:00:00 13241300x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\Publisher(Empty) 13241300x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LowerCaseLongPathc:\program files\git\usr\bin\dircolors.exe 13241300x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\BinProductVersion(Empty) 13241300x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LinkDate01/01/1970 00:00:00 13241300x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\Publisher(Empty) 13241300x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LowerCaseLongPathc:\program files\git\usr\bin\dir.exe 13241300x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\BinProductVersion(Empty) 13241300x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LinkDate01/01/1970 00:00:00 13241300x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\Publisher(Empty) 13241300x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LowerCaseLongPathc:\program files\git\usr\bin\diff3.exe 13241300x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\BinProductVersion(Empty) 13241300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LinkDate01/01/1970 00:00:00 13241300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\Publisher(Empty) 13241300x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LowerCaseLongPathc:\program files\git\usr\bin\diff.exe 13241300x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\BinProductVersion(Empty) 13241300x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LinkDate01/01/1970 00:00:00 13241300x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\Publisher(Empty) 13241300x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LowerCaseLongPathc:\program files\git\usr\bin\df.exe 13241300x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\BinProductVersion(Empty) 13241300x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LinkDate01/01/1970 00:00:00 13241300x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\Publisher(Empty) 13241300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LowerCaseLongPathc:\program files\git\usr\bin\dd.exe 13241300x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\BinProductVersion(Empty) 13241300x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LinkDate01/01/1970 00:00:00 13241300x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\Publisher(Empty) 13241300x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LowerCaseLongPathc:\program files\git\usr\bin\date.exe 13241300x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\BinProductVersion(Empty) 13241300x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LinkDate01/01/1970 00:00:00 13241300x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\Publisher(Empty) 13241300x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LowerCaseLongPathc:\program files\git\usr\bin\dash.exe 13241300x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\BinProductVersion(Empty) 13241300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\Publisher(Empty) 13241300x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LowerCaseLongPathc:\program files\git\usr\bin\d2u.exe 13241300x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\BinProductVersion(Empty) 13241300x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LinkDate01/17/2022 11:52:23 13241300x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\Publisher(Empty) 13241300x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LowerCaseLongPathc:\program files\git\usr\bin\cygwin-console-helper.exe 13241300x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\BinProductVersion(Empty) 13241300x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LinkDate01/17/2022 11:53:00 13241300x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\Publisher(Empty) 13241300x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LowerCaseLongPathc:\program files\git\usr\bin\cygpath.exe 13241300x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\BinProductVersion(Empty) 13241300x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LinkDate01/17/2022 11:52:23 13241300x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\Publisher(Empty) 13241300x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LowerCaseLongPathc:\program files\git\usr\bin\cygcheck.exe 13241300x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\BinProductVersion(Empty) 13241300x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LinkDate01/01/1970 00:00:00 13241300x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\Publisher(Empty) 13241300x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LowerCaseLongPathc:\program files\git\usr\bin\cut.exe 13241300x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\BinProductVersion(Empty) 13241300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LinkDate01/05/2022 10:29:14 13241300x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\Publisher(Empty) 13241300x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LowerCaseLongPathc:\program files\git\mingw64\bin\curl.exe 13241300x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\BinProductVersion(Empty) 13241300x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LinkDate01/01/1970 00:00:00 13241300x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\Publisher(Empty) 13241300x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LowerCaseLongPathc:\program files\git\usr\bin\csplit.exe 13241300x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\BinProductVersion(Empty) 13241300x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LinkDate01/01/1970 00:00:00 13241300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\Publisher(Empty) 13241300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LowerCaseLongPathc:\program files\git\mingw64\bin\create-shortcut.exe 13241300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\BinProductVersion(Empty) 13241300x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LinkDate01/01/1970 00:00:00 13241300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\Publisher(Empty) 13241300x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LowerCaseLongPathc:\program files\git\usr\bin\cp.exe 13241300x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\BinProductVersion(Empty) 13241300x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LinkDate01/01/1970 00:00:00 13241300x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\Publisher(Empty) 13241300x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LowerCaseLongPathc:\program files\git\mingw64\bin\connect.exe 13241300x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\BinProductVersion2.35.1.2 13241300x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LinkDate02/01/2022 15:47:52 13241300x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\Publisherthe git development community 13241300x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LowerCaseLongPathc:\program files\git\mingw64\share\git\compat-bash.exe 13241300x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\BinProductVersion(Empty) 13241300x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LinkDate01/01/1970 00:00:00 13241300x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\Publisher(Empty) 13241300x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LowerCaseLongPathc:\program files\git\usr\bin\comm.exe 13241300x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\BinProductVersion(Empty) 13241300x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LinkDate01/01/1970 00:00:00 13241300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\Publisher(Empty) 13241300x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LowerCaseLongPathc:\program files\git\usr\bin\column.exe 13241300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\BinProductVersion(Empty) 13241300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LinkDate01/01/1970 00:00:00 13241300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\Publisher(Empty) 13241300x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LowerCaseLongPathc:\program files\git\usr\bin\cmp.exe 13241300x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\BinProductVersion(Empty) 13241300x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LinkDate01/01/1970 00:00:00 13241300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\Publisher(Empty) 13241300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LowerCaseLongPathc:\program files\git\usr\bin\clear.exe 13241300x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\BinProductVersion(Empty) 13241300x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LinkDate01/01/1970 00:00:00 13241300x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\Publisher(Empty) 13241300x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LowerCaseLongPathc:\program files\git\usr\lib\gettext\cldr-plurals.exe 13241300x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\BinProductVersion(Empty) 13241300x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LinkDate01/01/1970 00:00:00 13241300x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\Publisher(Empty) 13241300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LowerCaseLongPathc:\program files\git\usr\bin\cksum.exe 13241300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\BinProductVersion(Empty) 13241300x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LinkDate01/01/1970 00:00:00 13241300x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\Publisher(Empty) 13241300x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LowerCaseLongPathc:\program files\git\usr\bin\chroot.exe 13241300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\BinProductVersion(Empty) 13241300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LinkDate01/01/1970 00:00:00 13241300x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\Publisher(Empty) 13241300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LowerCaseLongPathc:\program files\git\usr\bin\chown.exe 13241300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\BinProductVersion(Empty) 13241300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LinkDate01/01/1970 00:00:00 13241300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\Publisher(Empty) 13241300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LowerCaseLongPathc:\program files\git\usr\bin\chmod.exe 13241300x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\BinProductVersion(Empty) 13241300x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LinkDate01/01/1970 00:00:00 13241300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\Publisher(Empty) 13241300x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LowerCaseLongPathc:\program files\git\usr\bin\chgrp.exe 13241300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\BinProductVersion(Empty) 13241300x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LinkDate01/01/1970 00:00:00 13241300x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\Publisher(Empty) 13241300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LowerCaseLongPathc:\program files\git\usr\bin\chcon.exe 13241300x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\BinProductVersion(Empty) 13241300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LinkDate01/17/2022 11:53:00 13241300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\Publisher(Empty) 13241300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LowerCaseLongPathc:\program files\git\usr\bin\chattr.exe 13241300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\BinProductVersion(Empty) 13241300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LinkDate01/01/1970 00:00:00 23542300x800000000000000019828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:17.175{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18767D0213B23D7CFA62D8D600245D5D,SHA256=9111E6B40A5EB975F98500CF2A4DF7C235B2C78A60FAEA6E7648CBED06133608,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\Publisher(Empty) 13241300x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LowerCaseLongPathc:\program files\git\usr\bin\cat.exe 13241300x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\BinProductVersion(Empty) 13241300x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LinkDate01/01/1970 00:00:00 13241300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\Publisher(Empty) 13241300x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LowerCaseLongPathc:\program files\git\usr\bin\captoinfo.exe 13241300x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\BinProductVersion(Empty) 13241300x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LinkDate01/01/1970 00:00:00 13241300x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\Publisher(Empty) 13241300x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2recover.exe 13241300x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\BinProductVersion(Empty) 13241300x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LinkDate01/01/1970 00:00:00 13241300x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\Publisher(Empty) 13241300x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LowerCaseLongPathc:\program files\git\usr\bin\bzip2recover.exe 13241300x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\BinProductVersion(Empty) 13241300x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LinkDate01/01/1970 00:00:00 13241300x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\Publisher(Empty) 13241300x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2.exe 13241300x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\BinProductVersion(Empty) 13241300x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LinkDate01/01/1970 00:00:00 13241300x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\Publisher(Empty) 13241300x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LowerCaseLongPathc:\program files\git\usr\bin\bzip2.exe 13241300x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\BinProductVersion(Empty) 13241300x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LinkDate01/01/1970 00:00:00 13241300x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\Publisher(Empty) 13241300x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LowerCaseLongPathc:\program files\git\usr\bin\bzcat.exe 13241300x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\BinProductVersion(Empty) 13241300x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LinkDate01/01/1970 00:00:00 13241300x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\Publisher(Empty) 13241300x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LowerCaseLongPathc:\program files\git\mingw64\bin\bzcat.exe 13241300x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\BinProductVersion(Empty) 13241300x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LinkDate01/01/1970 00:00:00 13241300x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\Publisher(Empty) 13241300x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LowerCaseLongPathc:\program files\git\mingw64\bin\bunzip2.exe 13241300x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\BinProductVersion(Empty) 13241300x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\Publisher(Empty) 13241300x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LowerCaseLongPathc:\program files\git\usr\bin\bunzip2.exe 13241300x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\BinProductVersion(Empty) 13241300x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LinkDate01/01/1970 00:00:00 13241300x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\Publisher(Empty) 13241300x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LowerCaseLongPathc:\program files\git\mingw64\bin\brotli.exe 13241300x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\BinProductVersion(Empty) 13241300x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LinkDate01/01/1970 00:00:00 13241300x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\Publisher(Empty) 13241300x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LowerCaseLongPathc:\program files\git\mingw64\bin\blocked-file-util.exe 13241300x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\BinProductVersion2.35.1.2 13241300x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.673{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LinkDate02/01/2022 15:47:52 13241300x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\Publisherthe git development community 13241300x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LowerCaseLongPathc:\program files\git\bin\bash.exe 13241300x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\BinProductVersion(Empty) 13241300x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LinkDate01/01/1970 00:00:00 13241300x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\Publisher(Empty) 13241300x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LowerCaseLongPathc:\program files\git\usr\bin\bash.exe 13241300x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\BinProductVersion(Empty) 13241300x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LinkDate01/01/1970 00:00:00 13241300x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\Publisher(Empty) 13241300x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LowerCaseLongPathc:\program files\git\usr\bin\basenc.exe 13241300x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\BinProductVersion(Empty) 13241300x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\Publisher(Empty) 13241300x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LowerCaseLongPathc:\program files\git\usr\bin\basename.exe 13241300x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\BinProductVersion(Empty) 13241300x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LinkDate01/01/1970 00:00:00 13241300x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\Publisher(Empty) 13241300x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LowerCaseLongPathc:\program files\git\usr\bin\base64.exe 13241300x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\BinProductVersion(Empty) 13241300x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LinkDate01/01/1970 00:00:00 13241300x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\Publisher(Empty) 13241300x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LowerCaseLongPathc:\program files\git\usr\bin\base32.exe 13241300x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\BinProductVersion(Empty) 13241300x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\Publisher(Empty) 13241300x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LowerCaseLongPathc:\program files\git\usr\bin\b2sum.exe 13241300x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\BinProductVersion(Empty) 13241300x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LinkDate01/01/1970 00:00:00 13241300x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\Publisher(Empty) 13241300x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LowerCaseLongPathc:\program files\git\usr\bin\awk.exe 13241300x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\BinProductVersion2.0.632.0 13241300x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LinkDate05/14/2047 06:23:20 13241300x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\Publisheratlassian.bitbucket.ui 13241300x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\atlassian.bitbucket.ui.exe 13241300x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\BinProductVersion(Empty) 13241300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LinkDate01/01/1970 00:00:00 13241300x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\Publisher(Empty) 13241300x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LowerCaseLongPathc:\program files\git\usr\bin\arch.exe 13241300x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\BinProductVersion(Empty) 13241300x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LinkDate01/01/1970 00:00:00 13241300x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\Publisher(Empty) 13241300x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LowerCaseLongPathc:\program files\git\mingw64\bin\antiword.exe 13241300x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\BinProductVersion(Empty) 13241300x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LinkDate01/01/1970 00:00:00 13241300x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\Publisher(Empty) 13241300x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LowerCaseLongPathc:\program files\git\mingw64\bin\ahost.exe 13241300x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\BinProductVersion(Empty) 13241300x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LinkDate01/01/1970 00:00:00 13241300x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\Publisher(Empty) 13241300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LowerCaseLongPathc:\program files\git\mingw64\bin\adig.exe 13241300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\BinProductVersion(Empty) 13241300x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LinkDate01/01/1970 00:00:00 13241300x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\Publisher(Empty) 13241300x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LowerCaseLongPathc:\program files\git\mingw64\bin\acountry.exe 13241300x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\BinProductVersion(Empty) 13241300x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LinkDate01/01/1970 00:00:00 13241300x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\Publisher(Empty) 13241300x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LowerCaseLongPathc:\program files\git\usr\bin\[.exe 13241300x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.658{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00001616a485746a3e8d392f011e10053ffe0000ffff\PublisherThe Git Development Community 354300x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.151{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local50211- 354300x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:15.149{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local51167- 23542300x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:17.005{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B151EA76F550692F7C9060536A6F74,SHA256=A3FA5386C5F9C57445D226A9F93C6A8005B5C181830B07A27F30271ADDCC6BA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\Publisher(Empty) 13241300x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-wks-client.exe 13241300x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\BinProductVersion(Empty) 13241300x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LinkDate01/01/1970 00:00:00 13241300x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\Publisher(Empty) 13241300x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-protect-tool.exe 13241300x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\BinProductVersion(Empty) 13241300x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LinkDate01/01/1970 00:00:00 13241300x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\Publisher(Empty) 13241300x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-preset-passphrase.exe 13241300x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\BinProductVersion(Empty) 13241300x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\Publisher(Empty) 13241300x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LowerCaseLongPathc:\program files\git\usr\bin\gpg-error.exe 13241300x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\BinProductVersion(Empty) 13241300x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LinkDate01/01/1970 00:00:00 13241300x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\Publisher(Empty) 13241300x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LowerCaseLongPathc:\program files\git\usr\bin\gpg-connect-agent.exe 13241300x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\BinProductVersion(Empty) 13241300x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\Publisher(Empty) 13241300x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-check-pattern.exe 13241300x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\BinProductVersion(Empty) 13241300x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LinkDate01/01/1970 00:00:00 13241300x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\Publisher(Empty) 13241300x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LowerCaseLongPathc:\program files\git\usr\bin\gpg-agent.exe 13241300x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\BinProductVersion(Empty) 13241300x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LinkDate01/01/1970 00:00:00 13241300x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\Publisher(Empty) 13241300x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LowerCaseLongPathc:\program files\git\usr\bin\gobject-query.exe 13241300x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\BinProductVersion(Empty) 13241300x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\LinkDate01/17/2022 11:53:01 13241300x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\Publisher(Empty) 13241300x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gmondump.exe|7581b15ccb19a5a1\LowerCaseLongPathc:\program files\git\usr\bin\gmondump.exe 13241300x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\BinProductVersion(Empty) 13241300x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LinkDate01/01/1970 00:00:00 13241300x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\Publisher(Empty) 13241300x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LowerCaseLongPathc:\program files\git\usr\bin\glib-compile-schemas.exe 13241300x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\BinProductVersion(Empty) 13241300x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LinkDate01/01/1970 00:00:00 13241300x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\Publisher(Empty) 13241300x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LowerCaseLongPathc:\program files\git\usr\bin\gkill.exe 13241300x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\BinProductVersion2.35.1.2 13241300x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\Publisherthe git development community 13241300x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LowerCaseLongPathc:\program files\git\cmd\gitk.exe 13241300x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\BinProductVersion2.0.632.0 13241300x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LinkDate07/06/2104 07:53:09 13241300x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\Publishergithub.ui 13241300x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.ui.exe 13241300x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\BinProductVersion2.35.1.2 13241300x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\Publisherthe git development community 13241300x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git.exe 13241300x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\BinProductVersion2.35.1.2 13241300x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LinkDate02/01/2022 15:47:52 13241300x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\Publisherthe git development community 13241300x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LowerCaseLongPathc:\program files\git\bin\git.exe 13241300x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\BinProductVersion2.35.1.2 13241300x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LinkDate02/01/2022 15:47:52 13241300x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\Publisherthe git development community 13241300x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LowerCaseLongPathc:\program files\git\mingw64\bin\git.exe 13241300x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\BinProductVersion2.35.1.2 13241300x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LinkDate02/01/2022 15:47:52 13241300x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\Publisherthe git development community 13241300x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LowerCaseLongPathc:\program files\git\cmd\git.exe 13241300x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\BinProductVersion2.35.1.2 13241300x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LinkDate02/01/2022 15:47:52 13241300x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\Publisherthe git development community 13241300x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-write-tree.exe 13241300x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\BinProductVersion2.35.1.2 13241300x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LinkDate02/01/2022 15:47:52 13241300x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\Publisherthe git development community 13241300x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LowerCaseLongPathc:\program files\git\mingw64\share\git\git-wrapper.exe 13241300x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\BinProductVersion2.35.1.2 13241300x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LinkDate02/01/2022 15:47:52 13241300x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\Publisherthe git development community 13241300x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-worktree.exe 13241300x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\BinProductVersion2.35.1.2 13241300x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LinkDate02/01/2022 15:47:52 13241300x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\Publisherthe git development community 13241300x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-whatchanged.exe 13241300x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\BinProductVersion2.35.1.2 13241300x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LinkDate02/01/2022 15:47:52 13241300x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\Publisherthe git development community 13241300x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-tag.exe 13241300x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\BinProductVersion2.35.1.2 13241300x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LinkDate02/01/2022 15:47:52 13241300x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\Publisherthe git development community 13241300x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-pack.exe 13241300x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\BinProductVersion2.35.1.2 13241300x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LinkDate02/01/2022 15:47:52 13241300x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\Publisherthe git development community 13241300x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-commit.exe 13241300x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\BinProductVersion2.35.1.2 13241300x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LinkDate02/01/2022 15:47:52 13241300x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\Publisherthe git development community 13241300x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-var.exe 13241300x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\BinProductVersion2.35.1.2 13241300x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LinkDate02/01/2022 15:47:52 13241300x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\Publisherthe git development community 13241300x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-pack.exe 13241300x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\BinProductVersion2.35.1.2 13241300x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LinkDate02/01/2022 15:47:52 13241300x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\Publisherthe git development community 13241300x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-pack.exe 13241300x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\BinProductVersion2.35.1.2 13241300x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LinkDate02/01/2022 15:47:52 13241300x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\Publisherthe git development community 13241300x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-archive.exe 13241300x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\BinProductVersion2.35.1.2 13241300x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\Publisherthe git development community 13241300x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-archive.exe 13241300x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\BinProductVersion2.35.1.2 13241300x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LinkDate02/01/2022 15:47:52 13241300x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\Publisherthe git development community 13241300x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-server-info.exe 13241300x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\BinProductVersion2.35.1.2 13241300x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LinkDate02/01/2022 15:47:52 13241300x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\Publisherthe git development community 13241300x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-ref.exe 13241300x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\BinProductVersion2.35.1.2 13241300x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\Publisherthe git development community 13241300x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-index.exe 13241300x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\BinProductVersion2.35.1.2 13241300x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\Publisherthe git development community 13241300x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-objects.exe 13241300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\BinProductVersion2.35.1.2 13241300x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LinkDate02/01/2022 15:47:52 13241300x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\Publisherthe git development community 13241300x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-file.exe 13241300x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\BinProductVersion2.35.1.2 13241300x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LinkDate02/01/2022 15:47:52 13241300x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\Publisherthe git development community 13241300x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-tag.exe 13241300x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\BinProductVersion2.35.1.2 13241300x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LinkDate02/01/2022 15:47:52 13241300x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\Publisherthe git development community 13241300x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-symbolic-ref.exe 13241300x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\BinProductVersion2.35.1.2 13241300x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LinkDate02/01/2022 15:47:52 13241300x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\Publisherthe git development community 13241300x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-switch.exe 13241300x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\BinProductVersion2.35.1.2 13241300x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LinkDate02/01/2022 15:47:52 13241300x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\Publisherthe git development community 13241300x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-submodule--helper.exe 13241300x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\BinProductVersion2.35.1.2 13241300x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LinkDate02/01/2022 15:47:52 13241300x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\Publisherthe git development community 13241300x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stripspace.exe 13241300x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\BinProductVersion2.35.1.2 13241300x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\Publisherthe git development community 13241300x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-status.exe 13241300x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\BinProductVersion2.35.1.2 13241300x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LinkDate02/01/2022 15:47:52 13241300x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\Publisherthe git development community 13241300x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stash.exe 13241300x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\BinProductVersion2.35.1.2 13241300x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LinkDate02/01/2022 15:47:52 13241300x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\Publisherthe git development community 13241300x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stage.exe 13241300x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\BinProductVersion2.35.1.2 13241300x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LinkDate02/01/2022 15:47:52 13241300x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\Publisherthe git development community 13241300x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sparse-checkout.exe 13241300x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\BinProductVersion2.35.1.2 13241300x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LinkDate02/01/2022 15:47:52 13241300x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\Publisherthe git development community 13241300x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.789{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show.exe 13241300x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\BinProductVersion2.35.1.2 13241300x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LinkDate02/01/2022 15:47:52 13241300x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\Publisherthe git development community 13241300x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-ref.exe 13241300x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\BinProductVersion2.35.1.2 13241300x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LinkDate02/01/2022 15:47:52 13241300x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\Publisherthe git development community 13241300x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-index.exe 13241300x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\BinProductVersion2.35.1.2 13241300x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LinkDate02/01/2022 15:47:52 13241300x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\Publisherthe git development community 13241300x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-branch.exe 13241300x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\BinProductVersion2.35.1.2 13241300x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LinkDate02/01/2022 15:47:52 13241300x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\Publisherthe git development community 13241300x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-shortlog.exe 13241300x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\BinProductVersion2.35.1.2 13241300x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\Publisherthe git development community 13241300x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe 13241300x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\BinProductVersion2.35.1.2 13241300x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LinkDate02/01/2022 15:47:52 13241300x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\Publisherthe git development community 13241300x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-send-pack.exe 13241300x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\BinProductVersion2.35.1.2 13241300x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LinkDate02/01/2022 15:47:52 13241300x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\Publisherthe git development community 13241300x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rm.exe 13241300x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\BinProductVersion2.35.1.2 13241300x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LinkDate02/01/2022 15:47:52 13241300x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\Publisherthe git development community 13241300x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-revert.exe 13241300x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\BinProductVersion2.35.1.2 13241300x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LinkDate02/01/2022 15:47:52 13241300x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\Publisherthe git development community 13241300x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-parse.exe 13241300x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\BinProductVersion2.35.1.2 13241300x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LinkDate02/01/2022 15:47:52 13241300x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\Publisherthe git development community 13241300x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-list.exe 13241300x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\BinProductVersion2.35.1.2 13241300x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LinkDate02/01/2022 15:47:52 13241300x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\Publisherthe git development community 13241300x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-restore.exe 13241300x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\BinProductVersion2.35.1.2 13241300x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LinkDate02/01/2022 15:47:52 13241300x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\Publisherthe git development community 13241300x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reset.exe 13241300x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\BinProductVersion2.35.1.2 13241300x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LinkDate02/01/2022 15:47:52 13241300x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\Publisherthe git development community 13241300x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rerere.exe 13241300x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\BinProductVersion2.35.1.2 13241300x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LinkDate02/01/2022 15:47:52 13241300x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\Publisherthe git development community 13241300x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-replace.exe 13241300x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\BinProductVersion2.35.1.2 13241300x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LinkDate02/01/2022 15:47:52 13241300x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\Publisherthe git development community 13241300x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-repack.exe 13241300x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\BinProductVersion2.35.1.2 13241300x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LinkDate02/01/2022 15:47:52 13241300x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\Publisherthe git development community 13241300x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote.exe 13241300x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\BinProductVersion2.35.1.2 13241300x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LinkDate02/01/2022 15:47:52 13241300x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\Publisherthe git development community 13241300x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-https.exe 13241300x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\BinProductVersion2.35.1.2 13241300x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LinkDate02/01/2022 15:47:52 13241300x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\Publisherthe git development community 13241300x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-http.exe 13241300x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\BinProductVersion2.35.1.2 13241300x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\Publisherthe git development community 13241300x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftps.exe 13241300x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\BinProductVersion2.35.1.2 13241300x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LinkDate02/01/2022 15:47:52 13241300x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\Publisherthe git development community 13241300x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftp.exe 13241300x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\BinProductVersion2.35.1.2 13241300x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LinkDate02/01/2022 15:47:52 13241300x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\Publisherthe git development community 13241300x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-fd.exe 13241300x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\BinProductVersion2.35.1.2 13241300x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.773{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LinkDate02/01/2022 15:47:52 13241300x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\Publisherthe git development community 13241300x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ext.exe 13241300x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\BinProductVersion2.35.1.2 13241300x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LinkDate02/01/2022 15:47:52 13241300x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\Publisherthe git development community 13241300x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reflog.exe 13241300x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\BinProductVersion2.35.1.2 13241300x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LinkDate02/01/2022 15:47:52 13241300x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\Publisherthe git development community 13241300x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LowerCaseLongPathc:\program files\git\mingw64\bin\git-receive-pack.exe 13241300x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\BinProductVersion2.35.1.2 13241300x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\Publisherthe git development community 13241300x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-receive-pack.exe 13241300x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\BinProductVersion2.35.1.2 13241300x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\Publisherthe git development community 13241300x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rebase.exe 13241300x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\BinProductVersion2.35.1.2 13241300x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LinkDate02/01/2022 15:47:52 13241300x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\Publisherthe git development community 13241300x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-read-tree.exe 13241300x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\BinProductVersion2.35.1.2 13241300x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\Publisherthe git development community 13241300x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-range-diff.exe 13241300x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\BinProductVersion2.35.1.2 13241300x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LinkDate02/01/2022 15:47:52 13241300x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\Publisherthe git development community 13241300x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-push.exe 13241300x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\BinProductVersion2.35.1.2 13241300x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LinkDate02/01/2022 15:47:52 13241300x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\Publisherthe git development community 13241300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pull.exe 13241300x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\BinProductVersion2.35.1.2 13241300x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LinkDate02/01/2022 15:47:52 13241300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\Publisherthe git development community 13241300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune.exe 13241300x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\BinProductVersion2.35.1.2 13241300x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LinkDate02/01/2022 15:47:52 13241300x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\Publisherthe git development community 13241300x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune-packed.exe 13241300x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\BinProductVersion2.35.1.2 13241300x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LinkDate02/01/2022 15:47:52 13241300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\Publisherthe git development community 13241300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-patch-id.exe 13241300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\BinProductVersion2.35.1.2 13241300x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LinkDate02/01/2022 15:47:52 13241300x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\Publisherthe git development community 13241300x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-refs.exe 13241300x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\BinProductVersion2.35.1.2 13241300x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LinkDate02/01/2022 15:47:52 13241300x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\Publisherthe git development community 13241300x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-redundant.exe 13241300x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\BinProductVersion2.35.1.2 13241300x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\Publisherthe git development community 13241300x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-objects.exe 13241300x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\BinProductVersion2.35.1.2 13241300x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LinkDate02/01/2022 15:47:52 13241300x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\Publisherthe git development community 13241300x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-notes.exe 13241300x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\BinProductVersion2.35.1.2 13241300x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LinkDate02/01/2022 15:47:52 13241300x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\Publisherthe git development community 13241300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-name-rev.exe 13241300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\BinProductVersion2.35.1.2 13241300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LinkDate02/01/2022 15:47:52 13241300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\Publisherthe git development community 13241300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mv.exe 13241300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\BinProductVersion2.35.1.2 13241300x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LinkDate02/01/2022 15:47:52 13241300x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\Publisherthe git development community 13241300x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-multi-pack-index.exe 13241300x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\BinProductVersion2.35.1.2 13241300x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\Publisherthe git development community 13241300x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktree.exe 13241300x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\BinProductVersion2.35.1.2 13241300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LinkDate02/01/2022 15:47:52 13241300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\Publisherthe git development community 13241300x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktag.exe 13241300x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\BinProductVersion2.35.1.2 13241300x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LinkDate02/01/2022 15:47:52 13241300x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\Publisherthe git development community 13241300x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge.exe 13241300x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\BinProductVersion2.35.1.2 13241300x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LinkDate02/01/2022 15:47:52 13241300x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\Publisherthe git development community 13241300x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-tree.exe 13241300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\BinProductVersion2.35.1.2 13241300x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\Publisherthe git development community 13241300x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-subtree.exe 13241300x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\BinProductVersion2.35.1.2 13241300x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LinkDate02/01/2022 15:47:52 13241300x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\Publisherthe git development community 13241300x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-recursive.exe 13241300x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\BinProductVersion2.35.1.2 13241300x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LinkDate02/01/2022 15:47:52 13241300x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\Publisherthe git development community 13241300x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-ours.exe 13241300x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\BinProductVersion2.35.1.2 13241300x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\Publisherthe git development community 13241300x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-index.exe 13241300x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\BinProductVersion2.35.1.2 13241300x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LinkDate02/01/2022 15:47:52 13241300x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.757{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\Publisherthe git development community 13241300x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-file.exe 13241300x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\BinProductVersion2.35.1.2 13241300x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LinkDate02/01/2022 15:47:52 13241300x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\Publisherthe git development community 13241300x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-base.exe 13241300x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\BinProductVersion2.35.1.2 13241300x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.756{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\Publisherthe git development community 13241300x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-maintenance.exe 13241300x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\BinProductVersion2.35.1.2 13241300x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\Publisherthe git development community 13241300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailsplit.exe 13241300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\BinProductVersion2.35.1.2 13241300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LinkDate02/01/2022 15:47:52 13241300x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\Publisherthe git development community 13241300x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.755{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailinfo.exe 13241300x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\BinProductVersion2.35.1.2 13241300x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LinkDate02/01/2022 15:47:52 13241300x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\Publisherthe git development community 13241300x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-tree.exe 13241300x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\BinProductVersion2.35.1.2 13241300x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\Publisherthe git development community 13241300x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-remote.exe 13241300x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\BinProductVersion2.35.1.2 13241300x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.754{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LinkDate02/01/2022 15:47:52 13241300x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.753{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\Publisherthe git development community 13241300x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.753{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-files.exe 13241300x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.752{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\BinProductVersion2.35.1.2 13241300x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.752{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LinkDate02/01/2022 15:47:52 13241300x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.751{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\Publisherthe git development community 13241300x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.751{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-log.exe 13241300x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\BinProductVersion0.0.0.0 13241300x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LinkDate01/01/1970 00:00:00 13241300x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\Publisher(Empty) 13241300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-lfs.exe 13241300x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\BinProductVersion2.35.1.2 13241300x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LinkDate02/01/2022 15:47:52 13241300x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\Publisherthe git development community 13241300x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LowerCaseLongPathc:\program files\git\cmd\git-lfs.exe 13241300x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\BinProductVersion2.35.1.2 13241300x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LinkDate02/01/2022 15:47:52 13241300x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\Publisherthe git development community 13241300x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-interpret-trailers.exe 13241300x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\BinProductVersion2.35.1.2 13241300x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LinkDate02/01/2022 15:47:52 13241300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\Publisherthe git development community 13241300x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init.exe 13241300x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\BinProductVersion2.35.1.2 13241300x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LinkDate02/01/2022 15:47:52 13241300x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\Publisherthe git development community 13241300x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init-db.exe 13241300x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\BinProductVersion2.35.1.2 13241300x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\Publisherthe git development community 13241300x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-index-pack.exe 13241300x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\BinProductVersion2.35.1.2 13241300x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LinkDate02/01/2022 15:47:52 13241300x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\Publisherthe git development community 13241300x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-imap-send.exe 13241300x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\BinProductVersion2.35.1.2 13241300x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LinkDate02/01/2022 15:47:52 13241300x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\Publisherthe git development community 13241300x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-push.exe 13241300x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\BinProductVersion2.35.1.2 13241300x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LinkDate02/01/2022 15:47:52 13241300x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\Publisherthe git development community 13241300x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-fetch.exe 13241300x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\BinProductVersion2.35.1.2 13241300x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LinkDate02/01/2022 15:47:52 13241300x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\Publisherthe git development community 13241300x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-backend.exe 13241300x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\BinProductVersion2.35.1.2 13241300x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\Publisherthe git development community 13241300x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-help.exe 13241300x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\BinProductVersion2.35.1.2 13241300x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LinkDate02/01/2022 15:47:52 13241300x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\Publisherthe git development community 13241300x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hash-object.exe 13241300x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\BinProductVersion2.35.1.2 13241300x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LinkDate02/01/2022 15:47:52 13241300x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\Publisherthe git development community 13241300x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LowerCaseLongPathc:\program files\git\cmd\git-gui.exe 13241300x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\BinProductVersion2.35.1.2 13241300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LinkDate02/01/2022 15:47:52 13241300x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\Publisherthe git development community 13241300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-grep.exe 13241300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\BinProductVersion2.35.1.2 13241300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LinkDate02/01/2022 15:47:52 13241300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\Publisherthe git development community 13241300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-get-tar-commit-id.exe 13241300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\BinProductVersion2.35.1.2 13241300x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LinkDate02/01/2022 15:47:52 13241300x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\Publisherthe git development community 13241300x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-gc.exe 13241300x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\BinProductVersion2.35.1.2 13241300x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LinkDate02/01/2022 15:47:52 13241300x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\Publisherthe git development community 13241300x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsmonitor--daemon.exe 13241300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\BinProductVersion2.35.1.2 13241300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LinkDate02/01/2022 15:47:52 13241300x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\Publisherthe git development community 13241300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck.exe 13241300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\BinProductVersion2.35.1.2 13241300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LinkDate02/01/2022 15:47:52 13241300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\Publisherthe git development community 13241300x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck-objects.exe 13241300x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\BinProductVersion2.35.1.2 13241300x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\Publisherthe git development community 13241300x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-format-patch.exe 13241300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\BinProductVersion2.35.1.2 13241300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LinkDate02/01/2022 15:47:52 13241300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\Publisherthe git development community 13241300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-repo.exe 13241300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\BinProductVersion2.35.1.2 13241300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.736{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\Publisherthe git development community 13241300x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-ref.exe 13241300x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\BinProductVersion2.35.1.2 13241300x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LinkDate02/01/2022 15:47:52 13241300x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\Publisherthe git development community 13241300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fmt-merge-msg.exe 13241300x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\BinProductVersion2.35.1.2 13241300x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LinkDate02/01/2022 15:47:52 13241300x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\Publisherthe git development community 13241300x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch.exe 13241300x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\BinProductVersion2.35.1.2 13241300x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\Publisherthe git development community 13241300x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch-pack.exe 13241300x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\BinProductVersion2.35.1.2 13241300x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LinkDate02/01/2022 15:47:52 13241300x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\Publisherthe git development community 13241300x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-import.exe 13241300x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\BinProductVersion2.35.1.2 13241300x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LinkDate02/01/2022 15:47:52 13241300x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\Publisherthe git development community 13241300x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-export.exe 13241300x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\BinProductVersion2.35.1.2 13241300x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LinkDate02/01/2022 15:47:52 13241300x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\Publisherthe git development community 13241300x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-env--helper.exe 13241300x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\BinProductVersion2.35.1.2 13241300x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LinkDate02/01/2022 15:47:52 13241300x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\Publisherthe git development community 13241300x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-difftool.exe 13241300x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\BinProductVersion2.35.1.2 13241300x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LinkDate02/01/2022 15:47:52 13241300x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\Publisherthe git development community 13241300x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff.exe 13241300x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\BinProductVersion2.35.1.2 13241300x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LinkDate02/01/2022 15:47:52 13241300x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\Publisherthe git development community 13241300x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-tree.exe 13241300x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\BinProductVersion2.35.1.2 13241300x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LinkDate02/01/2022 15:47:52 13241300x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\Publisherthe git development community 13241300x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-index.exe 13241300x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\BinProductVersion2.35.1.2 13241300x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LinkDate02/01/2022 15:47:52 13241300x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\Publisherthe git development community 13241300x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-files.exe 13241300x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\BinProductVersion2.35.1.2 13241300x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LinkDate02/01/2022 15:47:52 13241300x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\Publisherthe git development community 13241300x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-describe.exe 13241300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\BinProductVersion2.35.1.2 13241300x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LinkDate02/01/2022 15:47:52 13241300x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\Publisherthe git development community 13241300x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-daemon.exe 13241300x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\BinProductVersion2.35.1.2 13241300x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LinkDate02/01/2022 15:47:52 13241300x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\Publisherthe git development community 13241300x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential.exe 13241300x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\BinProductVersion(Empty) 13241300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\Publisher(Empty) 13241300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-wincred.exe 13241300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\BinProductVersion2.35.1.2 13241300x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LinkDate02/01/2022 15:47:52 13241300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\Publisherthe git development community 13241300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-store.exe 13241300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\BinProductVersion2.0.632.0 13241300x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LinkDate11/29/2069 22:43:08 13241300x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\Publishergit-credential-manager-core 13241300x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager-core.exe 13241300x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\BinProductVersion(Empty) 13241300x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LinkDate01/01/1970 00:00:00 13241300x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\Publisher(Empty) 13241300x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-helper-selector.exe 13241300x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\BinProductVersion2.35.1.2 13241300x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LinkDate02/01/2022 15:47:52 13241300x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\Publisherthe git development community 13241300x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache.exe 13241300x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\BinProductVersion2.35.1.2 13241300x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LinkDate02/01/2022 15:47:52 13241300x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\Publisherthe git development community 13241300x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache--daemon.exe 13241300x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\BinProductVersion2.35.1.2 13241300x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LinkDate02/01/2022 15:47:52 13241300x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\Publisherthe git development community 13241300x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-count-objects.exe 13241300x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\BinProductVersion2.35.1.2 13241300x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LinkDate02/01/2022 15:47:52 13241300x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\Publisherthe git development community 13241300x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-config.exe 13241300x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\BinProductVersion2.35.1.2 13241300x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\Publisherthe git development community 13241300x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit.exe 13241300x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\BinProductVersion2.35.1.2 13241300x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LinkDate02/01/2022 15:47:52 13241300x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\Publisherthe git development community 13241300x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-tree.exe 13241300x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\BinProductVersion2.35.1.2 13241300x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LinkDate02/01/2022 15:47:52 13241300x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\Publisherthe git development community 13241300x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.720{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-graph.exe 13241300x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\BinProductVersion2.35.1.2 13241300x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LinkDate02/01/2022 15:47:52 13241300x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\Publisherthe git development community 13241300x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-column.exe 13241300x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\BinProductVersion2.35.1.2 13241300x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LinkDate02/01/2022 15:47:52 13241300x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\Publisherthe git development community 13241300x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LowerCaseLongPathc:\program files\git\git-cmd.exe 13241300x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\BinProductVersion2.35.1.2 13241300x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LinkDate02/01/2022 15:47:52 13241300x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\Publisherthe git development community 13241300x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clone.exe 13241300x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\BinProductVersion2.35.1.2 13241300x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LinkDate02/01/2022 15:47:52 13241300x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\Publisherthe git development community 13241300x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clean.exe 13241300x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\BinProductVersion2.35.1.2 13241300x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LinkDate02/01/2022 15:47:52 13241300x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\Publisherthe git development community 13241300x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry.exe 13241300x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\BinProductVersion2.35.1.2 13241300x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LinkDate02/01/2022 15:47:52 13241300x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\Publisherthe git development community 13241300x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry-pick.exe 13241300x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\BinProductVersion2.35.1.2 13241300x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\Publisherthe git development community 13241300x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout.exe 13241300x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\BinProductVersion2.35.1.2 13241300x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LinkDate02/01/2022 15:47:52 13241300x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\Publisherthe git development community 13241300x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout-index.exe 13241300x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\BinProductVersion2.35.1.2 13241300x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LinkDate02/01/2022 15:47:52 13241300x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\Publisherthe git development community 13241300x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout--worker.exe 13241300x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\BinProductVersion2.35.1.2 13241300x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LinkDate02/01/2022 15:47:52 13241300x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\Publisherthe git development community 13241300x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ref-format.exe 13241300x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\BinProductVersion2.35.1.2 13241300x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LinkDate02/01/2022 15:47:52 13241300x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\Publisherthe git development community 13241300x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-mailmap.exe 13241300x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\BinProductVersion2.35.1.2 13241300x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LinkDate02/01/2022 15:47:52 13241300x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\Publisherthe git development community 13241300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ignore.exe 13241300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\BinProductVersion2.35.1.2 13241300x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LinkDate02/01/2022 15:47:52 13241300x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\Publisherthe git development community 13241300x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-attr.exe 13241300x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\BinProductVersion2.35.1.2 13241300x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LinkDate02/01/2022 15:47:52 13241300x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\Publisherthe git development community 13241300x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cat-file.exe 13241300x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\BinProductVersion2.35.1.2 13241300x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\Publisherthe git development community 13241300x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bundle.exe 13241300x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\BinProductVersion2.35.1.2 13241300x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LinkDate02/01/2022 15:47:52 13241300x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\Publisherthe git development community 13241300x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bugreport.exe 13241300x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\BinProductVersion2.35.1.2 13241300x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LinkDate02/01/2022 15:47:52 13241300x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\Publisherthe git development community 13241300x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-branch.exe 13241300x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\BinProductVersion2.35.1.2 13241300x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LinkDate02/01/2022 15:47:52 13241300x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\Publisherthe git development community 13241300x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-blame.exe 13241300x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\BinProductVersion2.35.1.2 13241300x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LinkDate02/01/2022 15:47:52 13241300x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\Publisherthe git development community 13241300x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bisect--helper.exe 13241300x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\BinProductVersion2.35.1.2 13241300x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LinkDate02/01/2022 15:47:52 13241300x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\Publisherthe git development community 13241300x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LowerCaseLongPathc:\program files\git\git-bash.exe 13241300x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\BinProductVersion(Empty) 13241300x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LinkDate01/01/1970 00:00:00 13241300x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\Publisher(Empty) 13241300x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askyesno.exe 13241300x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\BinProductVersion(Empty) 13241300x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\LinkDate01/01/1970 00:00:00 13241300x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\Publisher(Empty) 13241300x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-askpass.exe|e2b400b31b8b5d22\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askpass.exe 13241300x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\BinProductVersion2.35.1.2 13241300x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LinkDate02/01/2022 15:47:52 13241300x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\Publisherthe git development community 13241300x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-archive.exe 13241300x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\BinProductVersion2.35.1.2 13241300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LinkDate02/01/2022 15:47:52 13241300x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\Publisherthe git development community 13241300x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-apply.exe 13241300x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\BinProductVersion2.35.1.2 13241300x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LinkDate02/01/2022 15:47:52 13241300x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\Publisherthe git development community 13241300x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-annotate.exe 13241300x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\BinProductVersion2.35.1.2 13241300x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LinkDate02/01/2022 15:47:52 13241300x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\Publisherthe git development community 13241300x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-am.exe 13241300x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\BinProductVersion2.35.1.2 13241300x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LinkDate02/01/2022 15:47:52 13241300x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.705{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\Publisherthe git development community 13241300x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-add.exe 13241300x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\BinProductVersion(Empty) 13241300x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LinkDate01/01/1970 00:00:00 13241300x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\Publisher(Empty) 13241300x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LowerCaseLongPathc:\program files\git\usr\bin\gio-querymodules.exe 13241300x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\BinProductVersion0.21.0.0 13241300x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LinkDate01/01/1970 00:00:00 13241300x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\Publisherfree software foundation 13241300x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LowerCaseLongPathc:\program files\git\usr\bin\gettext.exe 13241300x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\BinProductVersion0.21.0.0 13241300x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LinkDate01/01/1970 00:00:00 13241300x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\Publisherfree software foundation 13241300x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LowerCaseLongPathc:\program files\git\mingw64\bin\gettext.exe 13241300x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\BinProductVersion(Empty) 13241300x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LinkDate01/17/2022 11:52:24 13241300x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\Publisher(Empty) 13241300x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr64.exe 13241300x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\BinProductVersion(Empty) 13241300x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LinkDate01/17/2022 11:52:24 13241300x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\Publisher(Empty) 13241300x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr32.exe 13241300x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\BinProductVersion(Empty) 13241300x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LinkDate01/01/1970 00:00:00 13241300x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\Publisher(Empty) 13241300x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LowerCaseLongPathc:\program files\git\usr\bin\getopt.exe 13241300x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\BinProductVersion(Empty) 13241300x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LinkDate01/17/2022 11:53:01 13241300x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\Publisher(Empty) 13241300x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LowerCaseLongPathc:\program files\git\usr\bin\getfacl.exe 13241300x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\BinProductVersion(Empty) 13241300x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LinkDate01/17/2022 11:53:01 13241300x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\Publisher(Empty) 13241300x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LowerCaseLongPathc:\program files\git\usr\bin\getconf.exe 13241300x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\BinProductVersion(Empty) 13241300x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LinkDate01/17/2022 11:53:00 13241300x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\Publisher(Empty) 13241300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LowerCaseLongPathc:\program files\git\usr\bin\gencat.exe 13241300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\BinProductVersion(Empty) 13241300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LinkDate01/01/1970 00:00:00 13241300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\Publisher(Empty) 13241300x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LowerCaseLongPathc:\program files\git\usr\bin\gdbus.exe 13241300x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\BinProductVersion(Empty) 13241300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LinkDate01/01/1970 00:00:00 13241300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\Publisher(Empty) 13241300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LowerCaseLongPathc:\program files\git\usr\bin\gawk.exe 13241300x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\BinProductVersion(Empty) 13241300x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LinkDate01/01/1970 00:00:00 13241300x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\Publisher(Empty) 13241300x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LowerCaseLongPathc:\program files\git\usr\bin\gawk-5.0.0.exe 13241300x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\BinProductVersion(Empty) 13241300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LinkDate01/01/1970 00:00:00 13241300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\Publisher(Empty) 13241300x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LowerCaseLongPathc:\program files\git\usr\bin\gapplication.exe 13241300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\BinProductVersion(Empty) 13241300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LinkDate05/08/2031 18:06:26 13241300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\Publisher(Empty) 13241300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LowerCaseLongPathc:\program files\git\usr\bin\funzip.exe 13241300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\BinProductVersion(Empty) 13241300x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LinkDate01/01/1970 00:00:00 13241300x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\Publisher(Empty) 13241300x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LowerCaseLongPathc:\program files\git\usr\libexec\frcode.exe 13241300x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\BinProductVersion(Empty) 13241300x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LinkDate01/01/1970 00:00:00 13241300x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\Publisher(Empty) 13241300x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LowerCaseLongPathc:\program files\git\usr\bin\fold.exe 13241300x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\BinProductVersion(Empty) 13241300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LinkDate01/01/1970 00:00:00 13241300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\Publisher(Empty) 13241300x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LowerCaseLongPathc:\program files\git\usr\bin\fmt.exe 13241300x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\BinProductVersion(Empty) 13241300x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LinkDate01/01/1970 00:00:00 13241300x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\Publisher(Empty) 13241300x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LowerCaseLongPathc:\program files\git\usr\bin\find.exe 13241300x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\BinProductVersion(Empty) 13241300x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\Publisher(Empty) 13241300x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LowerCaseLongPathc:\program files\git\usr\bin\file.exe 13241300x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\BinProductVersion(Empty) 13241300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\Publisher(Empty) 13241300x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LowerCaseLongPathc:\program files\git\usr\bin\fido2-token.exe 13241300x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\BinProductVersion(Empty) 13241300x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LinkDate01/01/1970 00:00:00 13241300x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\Publisher(Empty) 13241300x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LowerCaseLongPathc:\program files\git\usr\bin\fido2-cred.exe 13241300x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\BinProductVersion(Empty) 13241300x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LinkDate01/01/1970 00:00:00 13241300x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\Publisher(Empty) 13241300x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LowerCaseLongPathc:\program files\git\usr\bin\fido2-assert.exe 13241300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\BinProductVersion(Empty) 13241300x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LinkDate01/01/1970 00:00:00 13241300x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\Publisher(Empty) 13241300x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LowerCaseLongPathc:\program files\git\usr\bin\false.exe 13241300x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\BinProductVersion(Empty) 13241300x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LinkDate01/01/1970 00:00:00 13241300x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\Publisher(Empty) 13241300x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LowerCaseLongPathc:\program files\git\usr\bin\factor.exe 13241300x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\BinProductVersion(Empty) 13241300x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LinkDate01/01/1970 00:00:00 13241300x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\Publisher(Empty) 13241300x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LowerCaseLongPathc:\program files\git\usr\bin\expr.exe 13241300x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\BinProductVersion(Empty) 13241300x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LinkDate01/01/1970 00:00:00 13241300x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\Publisher(Empty) 13241300x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LowerCaseLongPathc:\program files\git\usr\bin\expand.exe 13241300x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\BinProductVersion(Empty) 13241300x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LinkDate01/01/1970 00:00:00 13241300x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\Publisher(Empty) 13241300x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LowerCaseLongPathc:\program files\git\usr\bin\ex.exe 13241300x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\BinProductVersion0.21.0.0 13241300x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LinkDate01/01/1970 00:00:00 13241300x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\Publisherfree software foundation 13241300x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LowerCaseLongPathc:\program files\git\mingw64\bin\envsubst.exe 13241300x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\BinProductVersion0.21.0.0 13241300x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LinkDate01/01/1970 00:00:00 13241300x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\Publisherfree software foundation 13241300x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LowerCaseLongPathc:\program files\git\usr\bin\envsubst.exe 13241300x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\BinProductVersion(Empty) 13241300x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LinkDate01/01/1970 00:00:00 13241300x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\Publisher(Empty) 13241300x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LowerCaseLongPathc:\program files\git\usr\bin\env.exe 13241300x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\BinProductVersion(Empty) 13241300x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LinkDate01/01/1970 00:00:00 13241300x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\Publisher(Empty) 13241300x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test_dll.exe 13241300x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\BinProductVersion(Empty) 13241300x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LinkDate01/01/1970 00:00:00 13241300x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\Publisher(Empty) 13241300x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test.exe 13241300x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\BinProductVersion(Empty) 13241300x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LinkDate02/01/2022 15:47:52 13241300x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\Publisher(Empty) 13241300x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LowerCaseLongPathc:\program files\git\mingw64\share\git\edit-git-bash.exe 13241300x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\echo.exe|263446599120623a\BinProductVersion(Empty) 13241300x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LinkDate01/01/1970 00:00:00 13241300x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\echo.exe|263446599120623a\Publisher(Empty) 13241300x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.689{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LowerCaseLongPathc:\program files\git\usr\bin\echo.exe 23542300x800000000000000019829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:18.201{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9DEFA4B1A8E2414901EC4CCC8E30B3,SHA256=BA5C6951EAC1554673245CE85EB8E83B9A14B8BDCC7931452187774879A34E8F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.172{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\Publisherdon ho don.h@free.fr 13241300x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LowerCaseLongPathc:\program files\notepad++\uninstall.exe 13241300x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion8.3.2.0 13241300x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate02/27/2022 02:38:03 13241300x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\BinProductVersion5.2.2.0 13241300x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LinkDate11/10/2021 23:36:38 13241300x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\Publisherdon ho don.h@free.fr 13241300x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.171{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LowerCaseLongPathc:\program files\notepad++\updater\gup.exe 13241300x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.170{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00007987ff109e3bf5c4e574a7d53d7396e40000ffff\PublisherNotepad++ Team 13241300x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.159{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\BinProductVersion1.0.0.0 13241300x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.159{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LinkDate07/24/2021 22:21:04 13241300x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.159{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\Publishermozilla corporation 13241300x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.158{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\uninstall.exe 13241300x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.158{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\BinProductVersion97.0.1.8082 13241300x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.158{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LinkDate02/16/2022 18:34:02 13241300x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.158{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\Publishermozilla foundation 13241300x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.157{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 13241300x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.156{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000551729dd9b2c96b923e049091f1bb9090000ffff\PublisherMozilla 13241300x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\BinProductVersion97.0.1.8082 13241300x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LinkDate02/16/2022 18:33:45 13241300x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\Publishermozilla foundation 13241300x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LowerCaseLongPathc:\program files\mozilla firefox\updater.exe 13241300x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\BinProductVersion97.0.1.0 13241300x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LinkDate02/16/2022 18:53:20 13241300x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.145{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\Publishermozilla corporation 13241300x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LowerCaseLongPathc:\program files\mozilla firefox\plugin-container.exe 13241300x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\BinProductVersion97.0.1.8082 13241300x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LinkDate02/16/2022 18:34:06 13241300x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\Publishermozilla foundation 13241300x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LowerCaseLongPathc:\program files\mozilla firefox\pingsender.exe 13241300x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\BinProductVersion97.0.1.8082 13241300x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.144{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LinkDate02/16/2022 18:34:07 13241300x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\Publishermozilla foundation 13241300x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LowerCaseLongPathc:\program files\mozilla firefox\minidump-analyzer.exe 13241300x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\BinProductVersion1.0.0.0 13241300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LinkDate07/24/2021 22:21:04 13241300x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\Publishermozilla corporation 13241300x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.143{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice_installer.exe 13241300x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.142{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\BinProductVersion97.0.1.8082 13241300x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.142{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LinkDate02/16/2022 18:34:02 13241300x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.142{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\Publishermozilla foundation 13241300x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.142{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice.exe 13241300x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\BinProductVersion1.0.0.0 13241300x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LinkDate07/24/2021 22:21:04 13241300x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\Publishermozilla corporation 13241300x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LowerCaseLongPathc:\program files\mozilla firefox\uninstall\helper.exe 13241300x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\BinProductVersion97.0.1.0 13241300x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LinkDate02/16/2022 18:33:57 13241300x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.141{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\Publishermozilla corporation 13241300x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.140{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LowerCaseLongPathc:\program files\mozilla firefox\firefox.exe 13241300x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\BinProductVersion97.0.1.8082 13241300x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LinkDate02/16/2022 18:40:12 13241300x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\Publishermozilla foundation 13241300x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LowerCaseLongPathc:\program files\mozilla firefox\default-browser-agent.exe 13241300x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\BinProductVersion97.0.1.8082 13241300x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LinkDate02/16/2022 18:34:56 13241300x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\Publishermozilla foundation 13241300x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.135{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LowerCaseLongPathc:\program files\mozilla firefox\crashreporter.exe 13241300x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.134{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000002d8a6e8baa45d29a01b4f686d1e13da0000ffff\PublisherMozilla 13241300x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.029{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\BinProductVersion(Empty) 13241300x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.029{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LinkDate05/08/2031 18:06:26 13241300x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.027{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\Publisher(Empty) 13241300x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.027{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LowerCaseLongPathc:\program files\git\usr\bin\zipinfo.exe 13241300x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.027{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\BinProductVersion(Empty) 13241300x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.027{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LinkDate01/01/1970 00:00:00 13241300x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\Publisher(Empty) 13241300x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LowerCaseLongPathc:\program files\git\usr\bin\yes.exe 13241300x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\BinProductVersion(Empty) 13241300x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LinkDate01/01/1970 00:00:00 13241300x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\Publisher(Empty) 13241300x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.026{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LowerCaseLongPathc:\program files\git\usr\bin\yat2m.exe 13241300x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.023{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\BinProductVersion5.2.5.0 13241300x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.022{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LinkDate01/01/1970 00:00:00 13241300x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.022{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.022{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LowerCaseLongPathc:\program files\git\mingw64\bin\xzdec.exe 13241300x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.021{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\BinProductVersion5.2.5.0 13241300x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.021{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LinkDate01/01/1970 00:00:00 13241300x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.020{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.020{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LowerCaseLongPathc:\program files\git\mingw64\bin\xzcat.exe 13241300x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.020{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\BinProductVersion5.2.5.0 13241300x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.020{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LinkDate01/01/1970 00:00:00 13241300x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LowerCaseLongPathc:\program files\git\mingw64\bin\xz.exe 13241300x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\BinProductVersion(Empty) 13241300x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LinkDate01/01/1970 00:00:00 13241300x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\Publisher(Empty) 13241300x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.019{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LowerCaseLongPathc:\program files\git\usr\bin\xxd.exe 13241300x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\BinProductVersion(Empty) 13241300x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\Publisher(Empty) 13241300x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlwf.exe 13241300x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\BinProductVersion(Empty) 13241300x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\LinkDate01/01/1970 00:00:00 13241300x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\Publisher(Empty) 13241300x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\LowerCaseLongPathc:\program files\git\mingw64\bin\xmllint.exe 13241300x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.018{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\BinProductVersion(Empty) 13241300x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.017{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\LinkDate01/01/1970 00:00:00 13241300x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.017{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\Publisher(Empty) 13241300x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.017{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlcatalog.exe 13241300x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.016{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\BinProductVersion(Empty) 13241300x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.016{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LinkDate01/01/1970 00:00:00 13241300x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.016{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\Publisher(Empty) 13241300x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.016{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LowerCaseLongPathc:\program files\git\usr\bin\xgettext.exe 13241300x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.015{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\BinProductVersion(Empty) 13241300x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.015{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LinkDate01/01/1970 00:00:00 13241300x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\Publisher(Empty) 13241300x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LowerCaseLongPathc:\program files\git\usr\bin\xargs.exe 13241300x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\BinProductVersion(Empty) 13241300x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LinkDate01/01/1970 00:00:00 13241300x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\Publisher(Empty) 13241300x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-deflatehd.exe 13241300x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\BinProductVersion(Empty) 13241300x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.014{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.013{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\Publisher(Empty) 13241300x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.013{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-inflatehd.exe 13241300x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.009{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\BinProductVersion(Empty) 13241300x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.009{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LinkDate01/01/1970 00:00:00 13241300x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.009{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\Publisher(Empty) 13241300x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.009{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-agrep.exe 13241300x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\BinProductVersion8.6.2.11 13241300x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\Publisheractivestate corporation 13241300x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LowerCaseLongPathc:\program files\git\mingw64\bin\wish86.exe 13241300x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\BinProductVersion8.6.2.11 13241300x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LinkDate01/01/1970 00:00:00 13241300x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.008{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\Publisheractivestate corporation 13241300x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LowerCaseLongPathc:\program files\git\mingw64\bin\wish.exe 13241300x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\BinProductVersion(Empty) 13241300x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LinkDate11/17/2017 22:11:01 13241300x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\Publisher(Empty) 13241300x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LowerCaseLongPathc:\program files\git\mingw64\bin\wintoast.exe 13241300x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\BinProductVersion(Empty) 13241300x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LinkDate06/19/2025 15:30:53 13241300x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.999{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\Publisher(Empty) 13241300x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.997{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LowerCaseLongPathc:\program files\git\usr\bin\winpty.exe 13241300x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\BinProductVersion(Empty) 13241300x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LinkDate05/08/2031 18:06:26 13241300x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\Publisher(Empty) 13241300x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LowerCaseLongPathc:\program files\git\usr\bin\winpty-debugserver.exe 13241300x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\BinProductVersion(Empty) 13241300x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LinkDate05/08/2031 18:06:26 13241300x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\Publisher(Empty) 13241300x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LowerCaseLongPathc:\program files\git\usr\bin\winpty-agent.exe 13241300x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\BinProductVersion(Empty) 13241300x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LinkDate01/01/1970 00:00:00 13241300x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.996{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\Publisher(Empty) 13241300x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LowerCaseLongPathc:\program files\git\mingw64\bin\whouses.exe 13241300x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\BinProductVersion(Empty) 13241300x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LinkDate01/01/1970 00:00:00 13241300x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\Publisher(Empty) 13241300x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LowerCaseLongPathc:\program files\git\usr\bin\whoami.exe 13241300x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\BinProductVersion(Empty) 13241300x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LinkDate01/01/1970 00:00:00 13241300x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\Publisher(Empty) 13241300x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LowerCaseLongPathc:\program files\git\usr\bin\who.exe 13241300x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.995{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\BinProductVersion(Empty) 13241300x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LinkDate01/01/1970 00:00:00 13241300x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\Publisher(Empty) 13241300x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LowerCaseLongPathc:\program files\git\usr\bin\which.exe 13241300x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\BinProductVersion(Empty) 13241300x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LinkDate01/01/1970 00:00:00 13241300x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\Publisher(Empty) 13241300x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LowerCaseLongPathc:\program files\git\usr\bin\wc.exe 13241300x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\BinProductVersion(Empty) 13241300x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LinkDate01/01/1970 00:00:00 13241300x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\Publisher(Empty) 13241300x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.994{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LowerCaseLongPathc:\program files\git\usr\bin\watchgnupg.exe 13241300x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\BinProductVersion(Empty) 13241300x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\Publisher(Empty) 13241300x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LowerCaseLongPathc:\program files\git\usr\bin\vimdiff.exe 13241300x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\BinProductVersion(Empty) 13241300x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LinkDate01/01/1970 00:00:00 13241300x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.993{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\Publisher(Empty) 13241300x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LowerCaseLongPathc:\program files\git\usr\bin\vim.exe 13241300x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\BinProductVersion(Empty) 13241300x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LinkDate01/01/1970 00:00:00 13241300x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\Publisher(Empty) 13241300x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LowerCaseLongPathc:\program files\git\usr\bin\view.exe 13241300x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\BinProductVersion(Empty) 13241300x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\Publisher(Empty) 13241300x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.992{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LowerCaseLongPathc:\program files\git\usr\bin\vdir.exe 13241300x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.991{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\BinProductVersion(Empty) 13241300x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.991{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LinkDate01/01/1970 00:00:00 13241300x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.991{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\Publisher(Empty) 13241300x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.991{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LowerCaseLongPathc:\program files\git\usr\bin\users.exe 13241300x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\BinProductVersion(Empty) 13241300x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\Publisher(Empty) 13241300x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LowerCaseLongPathc:\program files\git\usr\lib\gettext\urlget.exe 13241300x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\BinProductVersion(Empty) 13241300x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LinkDate05/08/2031 18:06:26 13241300x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\Publisher(Empty) 13241300x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LowerCaseLongPathc:\program files\git\usr\bin\unzipsfx.exe 13241300x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\BinProductVersion(Empty) 13241300x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LinkDate05/08/2031 18:06:26 13241300x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\Publisher(Empty) 13241300x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LowerCaseLongPathc:\program files\git\usr\bin\unzip.exe 13241300x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\BinProductVersion5.2.5.0 13241300x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LinkDate01/01/1970 00:00:00 13241300x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LowerCaseLongPathc:\program files\git\mingw64\bin\unxz.exe 13241300x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\BinProductVersion(Empty) 13241300x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\Publisher(Empty) 13241300x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LowerCaseLongPathc:\program files\git\usr\bin\unlink.exe 13241300x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\BinProductVersion(Empty) 13241300x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LinkDate01/01/1970 00:00:00 13241300x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\Publisher(Empty) 13241300x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LowerCaseLongPathc:\program files\git\usr\bin\unix2mac.exe 13241300x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\BinProductVersion(Empty) 13241300x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LinkDate01/01/1970 00:00:00 13241300x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\Publisher(Empty) 13241300x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LowerCaseLongPathc:\program files\git\usr\bin\unix2dos.exe 13241300x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\BinProductVersion(Empty) 13241300x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LinkDate01/01/1970 00:00:00 13241300x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\Publisher(Empty) 13241300x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LowerCaseLongPathc:\program files\git\usr\bin\uniq.exe 13241300x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\BinProductVersion2.35.1.2 13241300x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LinkDate11/15/2020 09:48:32 13241300x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\Publisherthe git development community 13241300x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LowerCaseLongPathc:\program files\git\unins000.exe 13241300x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\BinProductVersion(Empty) 13241300x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\Publisher(Empty) 13241300x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LowerCaseLongPathc:\program files\git\usr\bin\unexpand.exe 13241300x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\BinProductVersion(Empty) 13241300x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\Publisher(Empty) 13241300x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LowerCaseLongPathc:\program files\git\usr\bin\uname.exe 13241300x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\BinProductVersion(Empty) 13241300x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LinkDate01/17/2022 11:53:05 13241300x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\Publisher(Empty) 13241300x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LowerCaseLongPathc:\program files\git\usr\bin\umount.exe 13241300x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\BinProductVersion(Empty) 13241300x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\Publisher(Empty) 13241300x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LowerCaseLongPathc:\program files\git\usr\bin\u2d.exe 13241300x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\BinProductVersion(Empty) 13241300x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LinkDate01/17/2022 11:53:05 13241300x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\Publisher(Empty) 13241300x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LowerCaseLongPathc:\program files\git\usr\bin\tzset.exe 13241300x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\BinProductVersion(Empty) 13241300x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LinkDate01/01/1970 00:00:00 13241300x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\Publisher(Empty) 13241300x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LowerCaseLongPathc:\program files\git\usr\bin\tty.exe 13241300x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\BinProductVersion(Empty) 13241300x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\Publisher(Empty) 13241300x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LowerCaseLongPathc:\program files\git\usr\bin\tsort.exe 13241300x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\BinProductVersion(Empty) 13241300x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LinkDate01/01/1970 00:00:00 13241300x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\Publisher(Empty) 13241300x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LowerCaseLongPathc:\program files\git\usr\bin\tset.exe 13241300x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\BinProductVersion(Empty) 13241300x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LinkDate01/01/1970 00:00:00 13241300x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\Publisher(Empty) 13241300x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LowerCaseLongPathc:\program files\git\usr\bin\trust.exe 13241300x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\BinProductVersion(Empty) 13241300x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\Publisher(Empty) 13241300x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LowerCaseLongPathc:\program files\git\usr\bin\truncate.exe 13241300x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\BinProductVersion(Empty) 13241300x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LinkDate01/01/1970 00:00:00 13241300x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\Publisher(Empty) 13241300x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LowerCaseLongPathc:\program files\git\usr\bin\true.exe 13241300x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\BinProductVersion(Empty) 13241300x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LinkDate01/01/1970 00:00:00 13241300x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\Publisher(Empty) 13241300x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LowerCaseLongPathc:\program files\git\usr\bin\tr.exe 13241300x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\BinProductVersion(Empty) 13241300x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LinkDate01/01/1970 00:00:00 13241300x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\Publisher(Empty) 13241300x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LowerCaseLongPathc:\program files\git\usr\bin\tput.exe 13241300x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\BinProductVersion(Empty) 13241300x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LinkDate01/01/1970 00:00:00 13241300x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\Publisher(Empty) 13241300x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LowerCaseLongPathc:\program files\git\usr\bin\touch.exe 13241300x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\BinProductVersion(Empty) 13241300x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\Publisher(Empty) 13241300x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LowerCaseLongPathc:\program files\git\usr\bin\toe.exe 13241300x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\BinProductVersion(Empty) 13241300x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\Publisher(Empty) 13241300x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LowerCaseLongPathc:\program files\git\usr\bin\timeout.exe 13241300x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\BinProductVersion(Empty) 13241300x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LinkDate01/01/1970 00:00:00 13241300x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\Publisher(Empty) 13241300x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LowerCaseLongPathc:\program files\git\usr\bin\tig.exe 13241300x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\BinProductVersion(Empty) 13241300x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\Publisher(Empty) 13241300x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LowerCaseLongPathc:\program files\git\usr\bin\tic.exe 13241300x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\BinProductVersion(Empty) 13241300x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\Publisher(Empty) 13241300x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LowerCaseLongPathc:\program files\git\usr\bin\test.exe 13241300x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\BinProductVersion(Empty) 13241300x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\Publisher(Empty) 13241300x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LowerCaseLongPathc:\program files\git\usr\bin\tee.exe 13241300x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\BinProductVersion8.6.2.11 13241300x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LinkDate01/01/1970 00:00:00 13241300x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\Publisheractivestate corporation 13241300x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh86.exe 13241300x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\BinProductVersion8.6.2.11 13241300x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LinkDate01/01/1970 00:00:00 13241300x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\Publisheractivestate corporation 13241300x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.975{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh.exe 13241300x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\BinProductVersion(Empty) 13241300x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\Publisher(Empty) 13241300x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LowerCaseLongPathc:\program files\git\usr\bin\tar.exe 13241300x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\BinProductVersion(Empty) 13241300x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.974{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\Publisher(Empty) 13241300x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LowerCaseLongPathc:\program files\git\usr\bin\tail.exe 13241300x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\BinProductVersion(Empty) 13241300x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\Publisher(Empty) 13241300x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LowerCaseLongPathc:\program files\git\usr\bin\tac.exe 13241300x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\BinProductVersion(Empty) 13241300x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.973{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\Publisher(Empty) 13241300x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LowerCaseLongPathc:\program files\git\usr\bin\tabs.exe 13241300x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\BinProductVersion(Empty) 13241300x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LinkDate01/01/1970 00:00:00 13241300x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\Publisher(Empty) 13241300x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LowerCaseLongPathc:\program files\git\usr\bin\sync.exe 13241300x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\BinProductVersion(Empty) 13241300x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LinkDate01/01/1970 00:00:00 13241300x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\Publisher(Empty) 13241300x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.972{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LowerCaseLongPathc:\program files\git\usr\bin\sum.exe 13241300x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.971{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\BinProductVersion(Empty) 13241300x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.971{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LinkDate01/01/1970 00:00:00 13241300x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.971{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\Publisher(Empty) 13241300x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.971{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LowerCaseLongPathc:\program files\git\usr\bin\stty.exe 13241300x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\BinProductVersion(Empty) 13241300x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LinkDate01/17/2022 11:52:24 13241300x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\Publisher(Empty) 13241300x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LowerCaseLongPathc:\program files\git\usr\bin\strace.exe 13241300x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\BinProductVersion(Empty) 13241300x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\LinkDate01/01/1970 00:00:00 13241300x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\Publisher(Empty) 13241300x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.970{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stdbuf.exe|993a8b786b346306\LowerCaseLongPathc:\program files\git\usr\bin\stdbuf.exe 13241300x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\BinProductVersion(Empty) 13241300x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LinkDate01/01/1970 00:00:00 13241300x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\Publisher(Empty) 13241300x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LowerCaseLongPathc:\program files\git\usr\bin\stat.exe 13241300x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\BinProductVersion(Empty) 13241300x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LinkDate01/17/2022 11:53:04 13241300x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\Publisher(Empty) 13241300x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LowerCaseLongPathc:\program files\git\usr\bin\ssp.exe 13241300x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\BinProductVersion(Empty) 13241300x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LinkDate01/01/1970 00:00:00 13241300x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.969{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\Publisher(Empty) 13241300x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LowerCaseLongPathc:\program files\git\usr\bin\sshd.exe 13241300x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\BinProductVersion(Empty) 13241300x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\Publisher(Empty) 13241300x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LowerCaseLongPathc:\program files\git\usr\bin\ssh.exe 13241300x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\BinProductVersion(Empty) 13241300x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LinkDate01/01/1970 00:00:00 13241300x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\Publisher(Empty) 13241300x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.968{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-sk-helper.exe 13241300x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\BinProductVersion(Empty) 13241300x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LinkDate01/01/1970 00:00:00 13241300x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\Publisher(Empty) 13241300x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-pkcs11-helper.exe 13241300x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\BinProductVersion(Empty) 13241300x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.967{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\Publisher(Empty) 13241300x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.966{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LowerCaseLongPathc:\program files\git\usr\bin\ssh-pageant.exe 13241300x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.966{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\BinProductVersion(Empty) 13241300x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.965{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LinkDate01/01/1970 00:00:00 13241300x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.965{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\Publisher(Empty) 13241300x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.965{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-keysign.exe 13241300x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.964{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\BinProductVersion(Empty) 13241300x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.964{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LinkDate01/01/1970 00:00:00 13241300x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.964{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\Publisher(Empty) 13241300x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.964{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keyscan.exe 13241300x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.962{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\BinProductVersion(Empty) 13241300x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.962{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.961{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\Publisher(Empty) 13241300x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.960{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keygen.exe 13241300x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.960{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\BinProductVersion(Empty) 13241300x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.960{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.958{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\Publisher(Empty) 13241300x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.958{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-agent.exe 13241300x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\BinProductVersion(Empty) 13241300x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LinkDate01/01/1970 00:00:00 13241300x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\Publisher(Empty) 13241300x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LowerCaseLongPathc:\program files\git\usr\bin\ssh-add.exe 13241300x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\BinProductVersion(Empty) 13241300x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LinkDate01/01/1970 00:00:00 13241300x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\Publisher(Empty) 13241300x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LowerCaseLongPathc:\program files\git\usr\bin\split.exe 13241300x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\BinProductVersion(Empty) 13241300x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LinkDate01/01/1970 00:00:00 13241300x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\Publisher(Empty) 13241300x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.954{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LowerCaseLongPathc:\program files\git\usr\bin\sort.exe 13241300x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\BinProductVersion(Empty) 13241300x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LinkDate01/01/1970 00:00:00 13241300x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\Publisher(Empty) 13241300x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LowerCaseLongPathc:\program files\git\usr\bin\sleep.exe 13241300x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\BinProductVersion(Empty) 13241300x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LinkDate01/01/1970 00:00:00 13241300x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\Publisher(Empty) 13241300x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LowerCaseLongPathc:\program files\git\usr\bin\shuf.exe 13241300x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\BinProductVersion(Empty) 13241300x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.952{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LinkDate01/01/1970 00:00:00 13241300x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\Publisher(Empty) 13241300x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LowerCaseLongPathc:\program files\git\usr\bin\shred.exe 13241300x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\BinProductVersion(Empty) 13241300x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\Publisher(Empty) 13241300x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.951{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LowerCaseLongPathc:\program files\git\usr\bin\sha512sum.exe 13241300x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\BinProductVersion(Empty) 13241300x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\Publisher(Empty) 13241300x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LowerCaseLongPathc:\program files\git\usr\bin\sha384sum.exe 13241300x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\BinProductVersion(Empty) 13241300x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LinkDate01/01/1970 00:00:00 13241300x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\Publisher(Empty) 13241300x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.950{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LowerCaseLongPathc:\program files\git\usr\bin\sha256sum.exe 13241300x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.948{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\BinProductVersion(Empty) 13241300x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.948{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\Publisher(Empty) 13241300x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LowerCaseLongPathc:\program files\git\usr\bin\sha224sum.exe 13241300x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\BinProductVersion(Empty) 13241300x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\Publisher(Empty) 13241300x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LowerCaseLongPathc:\program files\git\usr\bin\sha1sum.exe 13241300x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\BinProductVersion2.35.1.2 13241300x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LinkDate02/01/2022 15:47:52 13241300x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\Publisherthe git development community 13241300x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.947{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LowerCaseLongPathc:\program files\git\bin\sh.exe 13241300x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\BinProductVersion(Empty) 13241300x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LinkDate01/01/1970 00:00:00 13241300x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\Publisher(Empty) 13241300x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LowerCaseLongPathc:\program files\git\usr\bin\sh.exe 13241300x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\BinProductVersion(Empty) 13241300x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LinkDate01/01/1970 00:00:00 13241300x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\Publisher(Empty) 13241300x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LowerCaseLongPathc:\program files\git\usr\bin\sftp.exe 13241300x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\BinProductVersion(Empty) 13241300x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.946{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.945{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\Publisher(Empty) 13241300x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.945{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LowerCaseLongPathc:\program files\git\usr\lib\ssh\sftp-server.exe 13241300x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.944{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\BinProductVersion(Empty) 13241300x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.944{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LinkDate01/01/1970 00:00:00 13241300x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.944{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\Publisher(Empty) 13241300x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.944{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LowerCaseLongPathc:\program files\git\mingw64\bin\sexp-conv.exe 13241300x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\BinProductVersion(Empty) 13241300x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LinkDate01/01/1970 00:00:00 13241300x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\Publisher(Empty) 13241300x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LowerCaseLongPathc:\program files\git\usr\bin\sexp-conv.exe 13241300x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\BinProductVersion(Empty) 13241300x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LinkDate01/17/2022 11:53:04 13241300x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\Publisher(Empty) 13241300x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.943{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LowerCaseLongPathc:\program files\git\usr\bin\setmetamode.exe 13241300x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\BinProductVersion(Empty) 13241300x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LinkDate01/17/2022 11:53:04 13241300x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\Publisher(Empty) 13241300x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LowerCaseLongPathc:\program files\git\usr\bin\setfacl.exe 13241300x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\BinProductVersion(Empty) 13241300x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\Publisher(Empty) 13241300x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LowerCaseLongPathc:\program files\git\usr\bin\seq.exe 13241300x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\BinProductVersion(Empty) 13241300x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.941{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\Publisher(Empty) 13241300x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.940{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LowerCaseLongPathc:\program files\git\usr\bin\sed.exe 13241300x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\BinProductVersion(Empty) 13241300x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LinkDate01/01/1970 00:00:00 13241300x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\Publisher(Empty) 13241300x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LowerCaseLongPathc:\program files\git\usr\bin\sdiff.exe 13241300x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\BinProductVersion(Empty) 13241300x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\Publisher(Empty) 13241300x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LowerCaseLongPathc:\program files\git\usr\bin\scp.exe 13241300x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\BinProductVersion(Empty) 13241300x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\Publisher(Empty) 13241300x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.939{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\scdaemon.exe 13241300x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\BinProductVersion(Empty) 13241300x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\Publisher(Empty) 13241300x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LowerCaseLongPathc:\program files\git\usr\bin\rvim.exe 13241300x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\BinProductVersion(Empty) 13241300x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\Publisher(Empty) 13241300x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LowerCaseLongPathc:\program files\git\usr\bin\rview.exe 13241300x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\BinProductVersion(Empty) 13241300x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.938{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LinkDate01/01/1970 00:00:00 13241300x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\Publisher(Empty) 13241300x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LowerCaseLongPathc:\program files\git\usr\bin\runcon.exe 13241300x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\BinProductVersion(Empty) 13241300x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\Publisher(Empty) 13241300x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LowerCaseLongPathc:\program files\git\usr\bin\rnano.exe 13241300x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\BinProductVersion(Empty) 13241300x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LinkDate01/01/1970 00:00:00 13241300x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\Publisher(Empty) 13241300x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.937{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LowerCaseLongPathc:\program files\git\usr\lib\tar\rmt.exe 13241300x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.936{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\BinProductVersion(Empty) 13241300x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.936{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LinkDate01/01/1970 00:00:00 13241300x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.936{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\Publisher(Empty) 13241300x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.936{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LowerCaseLongPathc:\program files\git\usr\bin\rmdir.exe 13241300x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.935{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\BinProductVersion(Empty) 13241300x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.935{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LinkDate01/01/1970 00:00:00 13241300x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\Publisher(Empty) 13241300x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LowerCaseLongPathc:\program files\git\usr\bin\rm.exe 13241300x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\BinProductVersion(Empty) 13241300x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LinkDate01/01/1970 00:00:00 13241300x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\Publisher(Empty) 13241300x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LowerCaseLongPathc:\program files\git\usr\bin\reset.exe 13241300x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\BinProductVersion(Empty) 13241300x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.932{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LinkDate01/17/2022 11:53:04 13241300x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\Publisher(Empty) 13241300x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LowerCaseLongPathc:\program files\git\usr\bin\regtool.exe 13241300x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\BinProductVersion(Empty) 13241300x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LinkDate01/01/1970 00:00:00 13241300x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\Publisher(Empty) 13241300x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LowerCaseLongPathc:\program files\git\usr\bin\recode-sr-latin.exe 13241300x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\BinProductVersion(Empty) 13241300x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LinkDate01/01/1970 00:00:00 13241300x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\Publisher(Empty) 13241300x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.931{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LowerCaseLongPathc:\program files\git\usr\bin\rebase.exe 13241300x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\BinProductVersion(Empty) 13241300x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LinkDate01/01/1970 00:00:00 13241300x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\Publisher(Empty) 13241300x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LowerCaseLongPathc:\program files\git\usr\bin\realpath.exe 13241300x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\BinProductVersion(Empty) 13241300x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LinkDate01/01/1970 00:00:00 13241300x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\Publisher(Empty) 13241300x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LowerCaseLongPathc:\program files\git\usr\bin\readlink.exe 13241300x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\BinProductVersion(Empty) 13241300x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LinkDate01/01/1970 00:00:00 13241300x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\Publisher(Empty) 13241300x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LowerCaseLongPathc:\program files\git\usr\bin\pwd.exe 13241300x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\BinProductVersion(Empty) 13241300x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LinkDate01/01/1970 00:00:00 13241300x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.930{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\Publisher(Empty) 13241300x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.929{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LowerCaseLongPathc:\program files\git\usr\lib\awk\pwcat.exe 13241300x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.928{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\BinProductVersion(Empty) 13241300x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.928{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LinkDate01/01/1970 00:00:00 13241300x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.928{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\Publisher(Empty) 13241300x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.928{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LowerCaseLongPathc:\program files\git\usr\bin\ptx.exe 13241300x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.927{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\BinProductVersion(Empty) 13241300x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.927{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LinkDate01/01/1970 00:00:00 13241300x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.925{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\Publisher(Empty) 13241300x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.925{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LowerCaseLongPathc:\program files\git\usr\bin\psl.exe 13241300x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.925{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\BinProductVersion(Empty) 13241300x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.925{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LinkDate01/17/2022 11:53:00 13241300x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.924{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\Publisher(Empty) 13241300x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.924{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LowerCaseLongPathc:\program files\git\usr\bin\ps.exe 13241300x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.924{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\BinProductVersion(Empty) 13241300x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.922{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LinkDate01/01/1970 00:00:00 13241300x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.922{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\Publisher(Empty) 13241300x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.922{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LowerCaseLongPathc:\program files\git\mingw64\bin\proxy-lookup.exe 13241300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\BinProductVersion(Empty) 13241300x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\LinkDate01/17/2022 11:53:04 13241300x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\Publisher(Empty) 13241300x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\profiler.exe|375a9b384421d7c1\LowerCaseLongPathc:\program files\git\usr\bin\profiler.exe 13241300x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\BinProductVersion(Empty) 13241300x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LinkDate01/01/1970 00:00:00 13241300x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.921{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\Publisher(Empty) 13241300x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.911{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LowerCaseLongPathc:\program files\git\usr\bin\printf.exe 13241300x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.911{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\BinProductVersion(Empty) 13241300x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.911{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LinkDate01/01/1970 00:00:00 13241300x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.911{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\Publisher(Empty) 13241300x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.911{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LowerCaseLongPathc:\program files\git\usr\bin\printenv.exe 13241300x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\BinProductVersion(Empty) 13241300x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LinkDate01/01/1970 00:00:00 13241300x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\Publisher(Empty) 13241300x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LowerCaseLongPathc:\program files\git\usr\bin\pr.exe 13241300x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\BinProductVersion(Empty) 13241300x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.910{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LinkDate01/01/1970 00:00:00 13241300x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.909{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\Publisher(Empty) 13241300x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.908{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LowerCaseLongPathc:\program files\git\usr\bin\pluginviewer.exe 13241300x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.908{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\BinProductVersion(Empty) 13241300x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.905{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LinkDate01/17/2022 11:53:03 13241300x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.905{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\Publisher(Empty) 13241300x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.904{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LowerCaseLongPathc:\program files\git\usr\bin\pldd.exe 13241300x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.902{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\BinProductVersion(Empty) 13241300x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.896{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.896{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\Publisher(Empty) 13241300x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.896{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LowerCaseLongPathc:\program files\git\mingw64\bin\pkcs1-conv.exe 13241300x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.896{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\BinProductVersion(Empty) 13241300x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.896{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LinkDate01/01/1970 00:00:00 13241300x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.895{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\Publisher(Empty) 13241300x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.892{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LowerCaseLongPathc:\program files\git\usr\bin\pkcs1-conv.exe 13241300x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.892{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\BinProductVersion(Empty) 13241300x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.892{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LinkDate01/01/1970 00:00:00 13241300x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.892{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\Publisher(Empty) 13241300x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.892{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LowerCaseLongPathc:\program files\git\usr\bin\pinky.exe 13241300x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\BinProductVersion(Empty) 13241300x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LinkDate01/01/1970 00:00:00 13241300x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\Publisher(Empty) 13241300x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LowerCaseLongPathc:\program files\git\usr\bin\pinentry.exe 13241300x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\BinProductVersion(Empty) 13241300x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.891{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LinkDate01/01/1970 00:00:00 13241300x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\Publisher(Empty) 13241300x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LowerCaseLongPathc:\program files\git\usr\bin\pinentry-w32.exe 13241300x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl5.34.0.exe|163b76b108d3f013\BinProductVersion(Empty) 13241300x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl5.34.0.exe|163b76b108d3f013\LinkDate01/01/1970 00:00:00 13241300x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl5.34.0.exe|163b76b108d3f013\Publisher(Empty) 13241300x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl5.34.0.exe|163b76b108d3f013\LowerCaseLongPathc:\program files\git\usr\bin\perl5.34.0.exe 13241300x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\BinProductVersion(Empty) 13241300x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LinkDate01/01/1970 00:00:00 13241300x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.890{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\Publisher(Empty) 13241300x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LowerCaseLongPathc:\program files\git\usr\bin\perl.exe 13241300x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\BinProductVersion(Empty) 13241300x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LinkDate01/01/1970 00:00:00 13241300x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\Publisher(Empty) 13241300x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LowerCaseLongPathc:\program files\git\mingw64\bin\pdftotext.exe 13241300x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\BinProductVersion(Empty) 13241300x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.889{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\Publisher(Empty) 13241300x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LowerCaseLongPathc:\program files\git\usr\bin\pathchk.exe 13241300x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\BinProductVersion(Empty) 13241300x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\Publisher(Empty) 13241300x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LowerCaseLongPathc:\program files\git\usr\bin\patch.exe 13241300x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\BinProductVersion(Empty) 13241300x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.888{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LinkDate01/01/1970 00:00:00 13241300x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.887{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\Publisher(Empty) 13241300x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.887{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LowerCaseLongPathc:\program files\git\usr\bin\paste.exe 13241300x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.887{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\BinProductVersion(Empty) 13241300x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.887{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LinkDate01/17/2022 11:53:03 13241300x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\Publisher(Empty) 13241300x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LowerCaseLongPathc:\program files\git\usr\bin\passwd.exe 13241300x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\BinProductVersion(Empty) 13241300x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\Publisher(Empty) 13241300x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LowerCaseLongPathc:\program files\git\usr\bin\p11-kit.exe 13241300x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\BinProductVersion(Empty) 13241300x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.886{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LinkDate01/01/1970 00:00:00 13241300x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.878{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\Publisher(Empty) 13241300x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.878{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-server.exe 13241300x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\BinProductVersion(Empty) 13241300x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LinkDate01/01/1970 00:00:00 13241300x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\Publisher(Empty) 13241300x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-remote.exe 13241300x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\BinProductVersion1.1.1.13 13241300x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LinkDate12/15/2021 14:05:18 13241300x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\Publisherthe openssl project, https://www.openssl.org/ 13241300x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.877{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LowerCaseLongPathc:\program files\git\mingw64\bin\openssl.exe 13241300x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.875{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\BinProductVersion1.1.1.13 13241300x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.875{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LinkDate01/01/1970 00:00:00 13241300x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.874{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\Publisherthe openssl project, https://www.openssl.org/ 13241300x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.874{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LowerCaseLongPathc:\program files\git\usr\bin\openssl.exe 13241300x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.872{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\BinProductVersion(Empty) 13241300x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.872{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.872{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\Publisher(Empty) 13241300x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.872{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LowerCaseLongPathc:\program files\git\mingw64\bin\odt2txt.exe 13241300x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.871{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\BinProductVersion(Empty) 13241300x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.871{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.871{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\Publisher(Empty) 13241300x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.868{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LowerCaseLongPathc:\program files\git\usr\bin\od.exe 13241300x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\BinProductVersion(Empty) 13241300x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LinkDate01/01/1970 00:00:00 13241300x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\Publisher(Empty) 13241300x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LowerCaseLongPathc:\program files\git\usr\bin\numfmt.exe 13241300x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\BinProductVersion(Empty) 13241300x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LinkDate01/01/1970 00:00:00 13241300x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\Publisher(Empty) 13241300x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.866{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LowerCaseLongPathc:\program files\git\usr\bin\nproc.exe 13241300x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.865{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\BinProductVersion(Empty) 13241300x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.865{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LinkDate01/01/1970 00:00:00 13241300x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.864{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\Publisher(Empty) 13241300x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.864{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LowerCaseLongPathc:\program files\git\usr\bin\nohup.exe 13241300x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.864{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\BinProductVersion(Empty) 13241300x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.864{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LinkDate01/01/1970 00:00:00 13241300x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\Publisher(Empty) 13241300x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LowerCaseLongPathc:\program files\git\usr\bin\nl.exe 13241300x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\BinProductVersion(Empty) 13241300x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LinkDate01/01/1970 00:00:00 13241300x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\Publisher(Empty) 13241300x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LowerCaseLongPathc:\program files\git\usr\bin\nice.exe 13241300x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\BinProductVersion0.21.0.0 13241300x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LinkDate01/01/1970 00:00:00 13241300x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\Publisherfree software foundation 13241300x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.863{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LowerCaseLongPathc:\program files\git\usr\bin\ngettext.exe 13241300x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\BinProductVersion(Empty) 13241300x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LinkDate01/01/1970 00:00:00 13241300x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\Publisher(Empty) 13241300x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LowerCaseLongPathc:\program files\git\usr\bin\nettle-pbkdf2.exe 13241300x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\BinProductVersion(Empty) 13241300x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LinkDate01/01/1970 00:00:00 13241300x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.862{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\Publisher(Empty) 13241300x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.861{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LowerCaseLongPathc:\program files\git\usr\bin\nettle-lfib-stream.exe 13241300x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.861{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\BinProductVersion(Empty) 13241300x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.861{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LinkDate01/01/1970 00:00:00 13241300x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.861{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\Publisher(Empty) 13241300x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LowerCaseLongPathc:\program files\git\usr\bin\nettle-hash.exe 13241300x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\BinProductVersion(Empty) 13241300x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LinkDate01/01/1970 00:00:00 13241300x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\Publisher(Empty) 13241300x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LowerCaseLongPathc:\program files\git\usr\bin\nano.exe 13241300x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\BinProductVersion(Empty) 13241300x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LinkDate01/01/1970 00:00:00 13241300x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\Publisher(Empty) 13241300x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LowerCaseLongPathc:\program files\git\usr\bin\mv.exe 13241300x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\BinProductVersion(Empty) 13241300x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LinkDate01/01/1970 00:00:00 13241300x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.859{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\Publisher(Empty) 13241300x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LowerCaseLongPathc:\program files\git\usr\bin\msguniq.exe 13241300x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\BinProductVersion(Empty) 13241300x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LinkDate01/01/1970 00:00:00 13241300x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\Publisher(Empty) 13241300x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LowerCaseLongPathc:\program files\git\usr\bin\msgunfmt.exe 13241300x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\BinProductVersion(Empty) 13241300x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LinkDate01/01/1970 00:00:00 13241300x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\Publisher(Empty) 13241300x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LowerCaseLongPathc:\program files\git\usr\bin\msgmerge.exe 13241300x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\BinProductVersion(Empty) 13241300x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LinkDate01/01/1970 00:00:00 13241300x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.858{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\Publisher(Empty) 13241300x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LowerCaseLongPathc:\program files\git\usr\bin\msginit.exe 13241300x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.854{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\BinProductVersion(Empty) 13241300x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.854{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LinkDate01/01/1970 00:00:00 13241300x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.853{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\Publisher(Empty) 13241300x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LowerCaseLongPathc:\program files\git\usr\bin\msggrep.exe 13241300x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\BinProductVersion(Empty) 13241300x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LinkDate01/01/1970 00:00:00 13241300x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\Publisher(Empty) 13241300x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LowerCaseLongPathc:\program files\git\usr\bin\msgfmt.exe 13241300x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\BinProductVersion(Empty) 13241300x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LinkDate01/01/1970 00:00:00 13241300x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\Publisher(Empty) 13241300x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LowerCaseLongPathc:\program files\git\usr\bin\msgfilter.exe 13241300x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\BinProductVersion(Empty) 13241300x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LinkDate01/01/1970 00:00:00 13241300x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\Publisher(Empty) 13241300x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LowerCaseLongPathc:\program files\git\usr\bin\msgexec.exe 13241300x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\BinProductVersion(Empty) 13241300x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LinkDate01/01/1970 00:00:00 13241300x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\Publisher(Empty) 13241300x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LowerCaseLongPathc:\program files\git\usr\bin\msgen.exe 13241300x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\BinProductVersion(Empty) 13241300x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LinkDate01/01/1970 00:00:00 13241300x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\Publisher(Empty) 13241300x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LowerCaseLongPathc:\program files\git\usr\bin\msgconv.exe 13241300x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\BinProductVersion(Empty) 13241300x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LinkDate01/01/1970 00:00:00 13241300x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\Publisher(Empty) 13241300x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LowerCaseLongPathc:\program files\git\usr\bin\msgcomm.exe 13241300x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\BinProductVersion(Empty) 13241300x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LinkDate01/01/1970 00:00:00 13241300x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\Publisher(Empty) 13241300x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LowerCaseLongPathc:\program files\git\usr\bin\msgcmp.exe 13241300x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\BinProductVersion(Empty) 13241300x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LinkDate01/01/1970 00:00:00 13241300x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\Publisher(Empty) 13241300x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LowerCaseLongPathc:\program files\git\usr\bin\msgcat.exe 13241300x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\BinProductVersion(Empty) 13241300x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\Publisher(Empty) 13241300x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LowerCaseLongPathc:\program files\git\usr\bin\msgattrib.exe 13241300x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\BinProductVersion(Empty) 13241300x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LinkDate01/01/1970 00:00:00 13241300x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\Publisher(Empty) 13241300x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LowerCaseLongPathc:\program files\git\usr\bin\mpicalc.exe 13241300x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\BinProductVersion(Empty) 13241300x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LinkDate01/17/2022 11:53:03 13241300x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\Publisher(Empty) 13241300x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LowerCaseLongPathc:\program files\git\usr\bin\mount.exe 13241300x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\BinProductVersion(Empty) 13241300x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LinkDate01/01/1970 00:00:00 13241300x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\Publisher(Empty) 13241300x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LowerCaseLongPathc:\program files\git\usr\bin\mktemp.exe 13241300x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\BinProductVersion(Empty) 13241300x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LinkDate01/17/2022 11:53:02 13241300x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\Publisher(Empty) 13241300x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LowerCaseLongPathc:\program files\git\usr\bin\mkpasswd.exe 13241300x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\BinProductVersion(Empty) 13241300x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LinkDate01/01/1970 00:00:00 13241300x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\Publisher(Empty) 13241300x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LowerCaseLongPathc:\program files\git\usr\bin\mknod.exe 13241300x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\BinProductVersion(Empty) 13241300x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LinkDate01/17/2022 11:53:02 13241300x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\Publisher(Empty) 13241300x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LowerCaseLongPathc:\program files\git\usr\bin\mkgroup.exe 13241300x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\BinProductVersion(Empty) 13241300x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LinkDate01/01/1970 00:00:00 13241300x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\Publisher(Empty) 13241300x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LowerCaseLongPathc:\program files\git\usr\bin\mkfifo.exe 13241300x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\BinProductVersion(Empty) 13241300x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LinkDate01/01/1970 00:00:00 13241300x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\Publisher(Empty) 13241300x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LowerCaseLongPathc:\program files\git\usr\bin\mkdir.exe 13241300x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\BinProductVersion0.0.0.0 13241300x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LinkDate01/01/1970 00:00:00 13241300x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\Publisherandy koppe / thomas wolff 13241300x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LowerCaseLongPathc:\program files\git\usr\bin\mintty.exe 13241300x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\BinProductVersion(Empty) 13241300x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LinkDate01/17/2022 11:53:02 13241300x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\Publisher(Empty) 13241300x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LowerCaseLongPathc:\program files\git\usr\bin\minidumper.exe 13241300x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\BinProductVersion(Empty) 13241300x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LinkDate01/01/1970 00:00:00 13241300x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\Publisher(Empty) 13241300x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LowerCaseLongPathc:\program files\git\usr\bin\md5sum.exe 13241300x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\BinProductVersion(Empty) 13241300x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LinkDate01/01/1970 00:00:00 13241300x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\Publisher(Empty) 13241300x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LowerCaseLongPathc:\program files\git\usr\bin\mac2unix.exe 13241300x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\BinProductVersion5.2.5.0 13241300x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LinkDate01/01/1970 00:00:00 13241300x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmainfo.exe 13241300x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\BinProductVersion5.2.5.0 13241300x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmadec.exe 13241300x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\BinProductVersion(Empty) 13241300x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LinkDate01/17/2022 11:53:02 13241300x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\Publisher(Empty) 13241300x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LowerCaseLongPathc:\program files\git\usr\bin\lsattr.exe 13241300x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\BinProductVersion(Empty) 13241300x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LinkDate01/01/1970 00:00:00 13241300x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\Publisher(Empty) 13241300x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LowerCaseLongPathc:\program files\git\usr\bin\ls.exe 13241300x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\BinProductVersion(Empty) 13241300x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LinkDate01/01/1970 00:00:00 13241300x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\Publisher(Empty) 13241300x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LowerCaseLongPathc:\program files\git\usr\bin\logname.exe 13241300x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\BinProductVersion(Empty) 13241300x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LinkDate01/01/1970 00:00:00 13241300x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\Publisher(Empty) 13241300x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LowerCaseLongPathc:\program files\git\usr\bin\locate.exe 13241300x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\BinProductVersion(Empty) 13241300x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LinkDate01/17/2022 11:53:02 13241300x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\Publisher(Empty) 13241300x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LowerCaseLongPathc:\program files\git\usr\bin\locale.exe 13241300x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\BinProductVersion(Empty) 13241300x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LinkDate01/01/1970 00:00:00 13241300x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\Publisher(Empty) 13241300x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LowerCaseLongPathc:\program files\git\usr\bin\ln.exe 13241300x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\BinProductVersion(Empty) 13241300x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LinkDate01/01/1970 00:00:00 13241300x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\Publisher(Empty) 13241300x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LowerCaseLongPathc:\program files\git\usr\bin\link.exe 13241300x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\BinProductVersion(Empty) 13241300x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LinkDate01/01/1970 00:00:00 13241300x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\Publisher(Empty) 13241300x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.836{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LowerCaseLongPathc:\program files\git\usr\bin\lesskey.exe 13241300x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\BinProductVersion(Empty) 13241300x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LinkDate01/01/1970 00:00:00 13241300x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\Publisher(Empty) 13241300x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LowerCaseLongPathc:\program files\git\usr\bin\lessecho.exe 13241300x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\BinProductVersion(Empty) 13241300x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LinkDate01/01/1970 00:00:00 13241300x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\Publisher(Empty) 13241300x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LowerCaseLongPathc:\program files\git\usr\bin\less.exe 13241300x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\BinProductVersion(Empty) 13241300x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LinkDate01/17/2022 11:52:23 13241300x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\Publisher(Empty) 13241300x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LowerCaseLongPathc:\program files\git\usr\bin\ldh.exe 13241300x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\BinProductVersion(Empty) 13241300x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LinkDate01/17/2022 11:53:02 13241300x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\Publisher(Empty) 13241300x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LowerCaseLongPathc:\program files\git\usr\bin\ldd.exe 13241300x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\BinProductVersion(Empty) 13241300x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LinkDate01/17/2022 11:53:01 13241300x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\Publisher(Empty) 13241300x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LowerCaseLongPathc:\program files\git\usr\bin\kill.exe 13241300x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\BinProductVersion(Empty) 13241300x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LinkDate01/01/1970 00:00:00 13241300x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\Publisher(Empty) 13241300x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LowerCaseLongPathc:\program files\git\usr\bin\kbxutil.exe 13241300x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\BinProductVersion(Empty) 13241300x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LinkDate01/01/1970 00:00:00 13241300x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\Publisher(Empty) 13241300x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LowerCaseLongPathc:\program files\git\usr\bin\join.exe 13241300x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\BinProductVersion(Empty) 13241300x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LinkDate01/01/1970 00:00:00 13241300x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\Publisher(Empty) 13241300x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LowerCaseLongPathc:\program files\git\usr\bin\install.exe 13241300x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\BinProductVersion(Empty) 13241300x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LinkDate01/01/1970 00:00:00 13241300x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\Publisher(Empty) 13241300x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LowerCaseLongPathc:\program files\git\usr\bin\infotocap.exe 13241300x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\BinProductVersion(Empty) 13241300x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LinkDate01/01/1970 00:00:00 13241300x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\Publisher(Empty) 13241300x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LowerCaseLongPathc:\program files\git\usr\bin\infocmp.exe 13241300x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\BinProductVersion(Empty) 13241300x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LinkDate01/01/1970 00:00:00 13241300x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\Publisher(Empty) 13241300x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LowerCaseLongPathc:\program files\git\usr\bin\id.exe 13241300x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\BinProductVersion(Empty) 13241300x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LinkDate01/01/1970 00:00:00 13241300x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\Publisher(Empty) 13241300x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LowerCaseLongPathc:\program files\git\usr\bin\iconv.exe 13241300x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\BinProductVersion(Empty) 13241300x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LinkDate01/01/1970 00:00:00 13241300x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\Publisher(Empty) 13241300x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LowerCaseLongPathc:\program files\git\usr\bin\hostname.exe 13241300x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\BinProductVersion(Empty) 13241300x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LinkDate01/01/1970 00:00:00 13241300x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\Publisher(Empty) 13241300x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LowerCaseLongPathc:\program files\git\usr\lib\gettext\hostname.exe 13241300x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\BinProductVersion(Empty) 13241300x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LinkDate01/01/1970 00:00:00 13241300x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\Publisher(Empty) 13241300x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LowerCaseLongPathc:\program files\git\usr\bin\hostid.exe 13241300x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\BinProductVersion(Empty) 13241300x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LinkDate01/01/1970 00:00:00 13241300x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\Publisher(Empty) 13241300x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LowerCaseLongPathc:\program files\git\usr\bin\hmac256.exe 13241300x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\BinProductVersion2.35.1.2 13241300x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LinkDate02/01/2022 15:47:52 13241300x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\Publisherthe git development community 13241300x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\headless-git.exe 13241300x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\BinProductVersion(Empty) 13241300x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LinkDate01/01/1970 00:00:00 13241300x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\Publisher(Empty) 13241300x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LowerCaseLongPathc:\program files\git\usr\bin\head.exe 13241300x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\BinProductVersion(Empty) 13241300x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LinkDate01/01/1970 00:00:00 13241300x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\Publisher(Empty) 13241300x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LowerCaseLongPathc:\program files\git\usr\bin\gzip.exe 13241300x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\BinProductVersion(Empty) 13241300x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\Publisher(Empty) 13241300x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LowerCaseLongPathc:\program files\git\usr\bin\gsettings.exe 13241300x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\BinProductVersion(Empty) 13241300x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LinkDate01/01/1970 00:00:00 13241300x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\Publisher(Empty) 13241300x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LowerCaseLongPathc:\program files\git\usr\bin\groups.exe 13241300x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\BinProductVersion(Empty) 13241300x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LinkDate01/01/1970 00:00:00 13241300x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\Publisher(Empty) 13241300x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LowerCaseLongPathc:\program files\git\usr\bin\grep.exe 13241300x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\BinProductVersion(Empty) 13241300x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LinkDate01/01/1970 00:00:00 13241300x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\Publisher(Empty) 13241300x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LowerCaseLongPathc:\program files\git\usr\lib\awk\grcat.exe 13241300x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\BinProductVersion(Empty) 13241300x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LinkDate01/01/1970 00:00:00 13241300x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\Publisher(Empty) 13241300x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LowerCaseLongPathc:\program files\git\usr\bin\gpgv.exe 13241300x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\BinProductVersion(Empty) 13241300x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LinkDate01/01/1970 00:00:00 13241300x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\Publisher(Empty) 13241300x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LowerCaseLongPathc:\program files\git\usr\bin\gpgtar.exe 13241300x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\BinProductVersion(Empty) 13241300x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LinkDate01/01/1970 00:00:00 13241300x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\Publisher(Empty) 13241300x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LowerCaseLongPathc:\program files\git\usr\bin\gpgsplit.exe 13241300x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\BinProductVersion(Empty) 13241300x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LinkDate01/01/1970 00:00:00 13241300x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\Publisher(Empty) 13241300x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.820{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LowerCaseLongPathc:\program files\git\usr\bin\gpgsm.exe 13241300x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\BinProductVersion(Empty) 13241300x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LinkDate01/01/1970 00:00:00 13241300x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\Publisher(Empty) 13241300x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LowerCaseLongPathc:\program files\git\usr\bin\gpgscm.exe 13241300x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\BinProductVersion(Empty) 13241300x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LinkDate01/01/1970 00:00:00 13241300x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\Publisher(Empty) 13241300x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LowerCaseLongPathc:\program files\git\usr\bin\gpgparsemail.exe 13241300x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\BinProductVersion(Empty) 13241300x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LinkDate01/01/1970 00:00:00 13241300x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\Publisher(Empty) 13241300x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LowerCaseLongPathc:\program files\git\usr\bin\gpgconf.exe 13241300x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\BinProductVersion(Empty) 13241300x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LinkDate01/01/1970 00:00:00 13241300x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\Publisher(Empty) 13241300x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LowerCaseLongPathc:\program files\git\usr\bin\gpg.exe 13241300x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\BinProductVersion(Empty) 13241300x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LinkDate01/01/1970 00:00:00 13241300x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\Publisher(Empty) 13241300x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LowerCaseLongPathc:\program files\git\usr\bin\gpg-wks-server.exe 13241300x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\BinProductVersion(Empty) 13241300x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:17.804{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LinkDate01/01/1970 00:00:00 23542300x800000000000000019830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:19.232{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2873AC36BC9D67E43AD00AE350C1E326,SHA256=AF7E6ACA24D86CF67ABBB46D5E5BFAE1326069A833C66E9517D1AB33B7828B09,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:20.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vc_redist.x64.ex|df015788b6e48244\BinProductVersion14.29.30135.0 13241300x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:20.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vc_redist.x64.ex|df015788b6e48244\LinkDate11/18/2017 21:37:28 13241300x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:20.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vc_redist.x64.ex|df015788b6e48244\Publishermicrosoft corporation 13241300x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:20.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\vc_redist.x64.ex|df015788b6e48244\LowerCaseLongPathc:\programdata\package cache\{fa7f6d52-f85e-48ef-8f56-a37268aa5772}\vc_redist.x64.exe 13241300x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:20.855{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000a68b8027b32a34bba13a7aa54fd399140000ffff\PublisherMicrosoft Corporation 13241300x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:20.823{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\aws-cfn-bootstra|35e7e271cf824313\BinProductVersion2.0.10.0 13241300x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:20.823{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\aws-cfn-bootstra|35e7e271cf824313\LinkDate09/17/2019 05:33:38 13241300x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:20.823{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\aws-cfn-bootstra|35e7e271cf824313\Publisheramazon web services 13241300x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:20.823{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\aws-cfn-bootstra|35e7e271cf824313\LowerCaseLongPathc:\programdata\package cache\{aaabfc3d-0762-4c4a-abd7-b8cc9b732a0a}\aws-cfn-bootstrap-bundle.exe 13241300x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:20.808{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000050fbef40d5829db8b6e17a1708bbadd70000ffff\PublisherAmazon Web Services 13241300x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:20.723{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000044a42f7135a61b03c6606316900e1cd600000904\PublisherAmazon Web Services Developer Relations 23542300x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:20.124{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:20.124{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:20.124{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:20.124{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:20.124{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.674{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.673{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.673{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.664{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.661{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.657{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.656{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.656{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.656{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.654{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.654{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.654{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.654{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.614{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.427{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.425{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.393{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.393{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.322{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCF25FB86FCE1CB6F80705CE7BE2CE4,SHA256=8B63D4CA776098F67C53F481F8BE57B344144370932BAF64F4652EE08CB90589,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.156{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDBSetValue2022-03-02 10:20:19.155{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\IDA Freeware 7.6\ida64.exeBinary Data 10341000x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.140{328C47E9-32BE-621F-1300-000000003602}9565168C:\Windows\System32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.140{328C47E9-32BE-621F-1300-000000003602}9565168C:\Windows\System32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.126{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.125{328C47E9-38F8-621F-2E06-000000003602}23084636C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+38397a|C:\Windows\System32\SHELL32.dll+383222|C:\Windows\System32\SHLWAPI.dll+e42f 154100x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:19.089{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe7.6.21.0526The Interactive DisassemblerThe Interactive DisassemblerHex-Rays SAida64.exe"C:\Program Files\IDA Freeware 7.6\ida64.exe" C:\Temp\c.binC:\Program Files\IDA Freeware 7.6\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=A1432243312034497B77DA10D5240682,SHA256=D7AE37DAB0CD731ABB1B43B9C702F77A8C2E2090C45CB9D43948588A72F17BA4,IMPHASH=BE1F728BB8A157DEEA3F4C9B1D6E2337{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.827{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\amazonssmagentse|ca08623c13d8aded\BinProductVersion3.1.804.0 13241300x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.827{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\amazonssmagentse|ca08623c13d8aded\LinkDate05/01/2017 14:33:52 13241300x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.827{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\amazonssmagentse|ca08623c13d8aded\Publisheramazon web services 13241300x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.827{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\amazonssmagentse|ca08623c13d8aded\LowerCaseLongPathc:\programdata\package cache\{1fe03f4a-a482-463b-8efa-79a43ef8f853}\amazonssmagentsetup.exe 13241300x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.827{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000b35d68f57972271fa28ddc563eddfe600000ffff\PublisherAmazon Web Services 13241300x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.774{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\BinProductVersion(Empty) 13241300x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.774{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LinkDate01/01/1970 00:00:00 13241300x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.774{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\Publisher(Empty) 13241300x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.774{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LowerCaseLongPathc:\program files\amazon\ssm\ssm-agent-worker.exe 13241300x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.774{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000b35d68f57972271fa28ddc563eddfe6000000904\PublisherAmazon Web Services 13241300x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.558{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\000050fbef40d5829db8b6e17a1708bbadd700000904\PublisherAmazon Web Services 13241300x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\BinProductVersion(Empty) 13241300x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LinkDate01/10/2020 01:30:07 13241300x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\Publisher(Empty) 13241300x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\srm.exe 13241300x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\BinProductVersion10.0.10011.16384 13241300x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LinkDate10/02/2019 17:37:14 13241300x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkmonitornohandledrv.sys 13241300x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\BinProductVersion10.0.10011.16384 13241300x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LinkDate10/02/2019 17:37:08 13241300x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkdrv.sys 13241300x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\BinProductVersion2048.512.24125.32311 13241300x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LinkDate02/07/2020 15:26:19 13241300x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\Publishersplunk inc. 13241300x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkd.exe 13241300x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\BinProductVersion2048.512.24125.32311 13241300x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LinkDate02/07/2020 15:13:21 13241300x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\Publishersplunk inc. 13241300x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk.exe 13241300x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\BinProductVersion2048.512.24125.32311 13241300x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LinkDate02/07/2020 15:24:43 13241300x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\Publishersplunk inc. 13241300x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-wmi.exe 13241300x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\BinProductVersion2048.512.24125.32311 13241300x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LinkDate02/07/2020 15:19:24 13241300x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\Publishersplunk inc. 13241300x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winprintmon.exe 13241300x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\BinProductVersion2048.512.24125.32311 13241300x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LinkDate02/07/2020 15:19:16 13241300x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\Publishersplunk inc. 13241300x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winhostinfo.exe 13241300x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\BinProductVersion2048.512.24125.32311 13241300x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LinkDate02/07/2020 15:18:57 13241300x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\Publishersplunk inc. 13241300x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winevtlog.exe 13241300x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\BinProductVersion2048.512.24125.32311 13241300x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LinkDate02/07/2020 15:19:10 13241300x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\Publishersplunk inc. 13241300x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-regmon.exe 13241300x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\BinProductVersion(Empty) 13241300x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LinkDate02/07/2020 15:18:45 13241300x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\Publisher(Empty) 13241300x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-powershell.exe 13241300x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\BinProductVersion2048.512.24125.32311 13241300x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LinkDate02/07/2020 15:18:45 13241300x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\Publishersplunk inc. 13241300x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-perfmon.exe 13241300x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\BinProductVersion2048.512.24125.32311 13241300x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LinkDate02/07/2020 15:18:57 13241300x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\Publishersplunk inc. 13241300x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-netmon.exe 13241300x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\BinProductVersion10.0.10011.16384 13241300x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LinkDate02/07/2020 15:18:52 13241300x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-monitornohandle.exe 13241300x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\BinProductVersion2048.512.24125.32311 13241300x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LinkDate02/07/2020 15:13:21 13241300x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\Publishersplunk inc. 13241300x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.474{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-compresstool.exe 13241300x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\BinProductVersion2048.512.24125.32311 13241300x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LinkDate02/07/2020 15:19:19 13241300x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\Publishersplunk inc. 13241300x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-admon.exe 13241300x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\BinProductVersion10.0.10011.16384 13241300x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LinkDate09/27/2019 18:25:44 13241300x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splknetdrv.sys 13241300x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\BinProductVersion(Empty) 13241300x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LinkDate01/10/2020 00:48:57 13241300x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\Publisher(Empty) 13241300x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\openssl.exe 13241300x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\BinProductVersion2048.512.24125.32311 13241300x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LinkDate02/07/2020 15:13:14 13241300x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\Publishersplunk inc. 13241300x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\classify.exe 13241300x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\BinProductVersion2048.512.24125.32311 13241300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LinkDate02/07/2020 15:12:56 13241300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\Publishersplunk inc. 13241300x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btprobe.exe 13241300x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\BinProductVersion2048.512.24125.32311 13241300x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LinkDate02/07/2020 15:12:56 13241300x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\Publishersplunk inc. 13241300x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btool.exe 13241300x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.458{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\00006e465eb93b9ef9ed1111015f594f733000000904\PublisherSplunk, Inc. 13241300x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.362{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000963b1531b17a83e9c9d94a81d3b73d6400000904\PublisherMicrosoft Corporation 13241300x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:18.309{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplication\0000ca9d6a87533b8fd4d2ba575a5db4ca5d00000904\PublisherMicrosoft Corporation 10341000x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.279{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.278{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.270{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.263{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.260{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.260{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44E2-621F-FE07-000000003602}7828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:20:18.172{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\BinProductVersion8.3.2.0 13241300x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:20:18.172{328C47E9-44DD-621F-FB07-000000003602}4976C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{66e3397c-9c46-fe5d-5474-bb0713f132f0}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LinkDate12/15/2018 22:24:36 354300x800000000000000019833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:19.089{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:20.248{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D764DD3F6B463E74F42A2D6E719552,SHA256=9B36C320A6EECA644CC2090D2276E67C102FBE9BC5F5FDD1F6EE49B51D97BCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:20.170{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.592{328C47E9-44E5-621F-0008-000000003602}28246024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.376{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44E5-621F-0008-000000003602}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.374{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.374{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.373{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.373{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.373{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44E5-621F-0008-000000003602}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.372{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44E5-621F-0008-000000003602}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.372{328C47E9-44E5-621F-0008-000000003602}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.239{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.223{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.223{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.223{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.223{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:21.223{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:18.997{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65348-false10.0.1.12-8000- 23542300x800000000000000019834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:21.266{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D7DB9E1B2417A954EE5EE963309953,SHA256=D0E88801A3F14FFE4A111B3CB00DAAB01012130D8EF0070F02FD6222E155F05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44E6-621F-0208-000000003602}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44E6-621F-0208-000000003602}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.913{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44E6-621F-0208-000000003602}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.916{328C47E9-44E6-621F-0208-000000003602}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.498{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.498{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.498{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.467{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.451{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.398{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=520E14BE22C0B29ED57C09915FC5C0FE,SHA256=09C3A07DD18EA53ED08C772FE4B6D08F448BBA014FF0CB0EE05705FC64D056B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.398{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44E6-621F-0108-000000003602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44E6-621F-0108-000000003602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.383{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44E6-621F-0108-000000003602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.156{328C47E9-44E6-621F-0108-000000003602}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000048933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000009c6) 13241300x800000000000000048932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F44FDBE5-5257-4CDF-8C9A-0A4ED5C1973E}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\Program Files\IDA Freeware 7.6\ida64.exe|Name=Interactive Disassembler (64-bit)| 10341000x800000000000000048931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}11766440C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}11766440C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000048929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000009c5) 13241300x800000000000000048928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C938D796-30EC-4FA3-8CCA-27D9AC69FB46}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\Program Files\IDA Freeware 7.6\ida64.exe|Name=Interactive Disassembler (64-bit)| 10341000x800000000000000048927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}11766440C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.336{328C47E9-32BE-621F-1500-000000003602}11766440C:\Windows\system32\svchost.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+2f625|c:\windows\system32\mpssvc.dll+2f53e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:19.993{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:22.422{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C3CF4B5103DFE1D13449E5CCB81FA7,SHA256=EC08E0A7166922B2242337ACA00510009E100802E786B3FBBA2560CD2B33FF94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.953{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.953{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.953{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.916{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.916{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.916{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.916{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.916{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16CE4FE3307D4CD84A6BB8CFAACF8DAC,SHA256=8A8BB830126F6D077504AB705324B804ECFA30F48F503D887AB5865CF48C3561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.853{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.853{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.853{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.829{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.829{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.829{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.829{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.813{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.813{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.813{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.813{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.813{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB14E802F7526881E29980F6778882,SHA256=98A484E26AF4C656637D993810B36A71CE02B4D341572846980C7B1725CE6B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44E7-621F-0308-000000003602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44E7-621F-0308-000000003602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.797{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44E7-621F-0308-000000003602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:23.802{328C47E9-44E7-621F-0308-000000003602}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:23.438{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A835D5A70980359C2B798CD719856D,SHA256=B2A99702318B1D2100029C47701008D81DFD88350161647EB57F41F7B18719A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:24.187{328C47E9-44E3-621F-FF07-000000003602}5648ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Temp\c.bin.id2MD5=C0CBAB1236937CDBA4B5D4875D9115F6,SHA256=7A62C38D13D016E3788B00FAE683DE6B2CFDE9AB4B936650766B81965EC3ABCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:24.187{328C47E9-44E3-621F-FF07-000000003602}5648ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Temp\c.bin.id2MD5=24B1051182117AFEC7E76A2143FA9155,SHA256=010AE71265CDD8EF10C7B901E85AB43CE66428D6BDE4A57A73E4E91963F8CB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:24.170{328C47E9-44E3-621F-FF07-000000003602}5648ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Temp\c.bin.id2MD5=52CBB60B4CEA2675D5F0F546D99869FD,SHA256=7A999FB09397EA50034DAB983668A5114A67083407FF38F9CDB1DFC5ACDEE448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:24.170{328C47E9-44E7-621F-0308-000000003602}19566672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000048993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.212{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65349-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000048992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:22.212{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65349-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:24.594{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E2798C8848E15D483389BD07710CE,SHA256=26B4D31146CB3122BEDE0E9E908CBBA7DF95A4982E7121A9B52938FDDC3AD9D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:25.476{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:25.470{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:25.470{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:25.469{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:25.625{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1F76B0DF0B06B0D10C103CB50471F3,SHA256=BC791A8442E41794646EBE9A81773F74EB0BFB90FCDB5120EBCDB2A4F70E699C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.813{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44EA-621F-0408-000000003602}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.782{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF9DBD75B93DAB5D0D697B471EAA31,SHA256=4C37D483DF2C6E21CC23C99F3D9B421CE553F3BB051CC4AA0436B2F9A9A71583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.780{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.780{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.779{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.779{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.779{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44EA-621F-0408-000000003602}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.779{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44EA-621F-0408-000000003602}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.778{328C47E9-44EA-621F-0408-000000003602}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.777{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD102D9B069C192FDFDC5C5D3BABEB03,SHA256=026AD72AE780B0A17980DA9AC942EDE9C864B756265CA4ED15CBE8E8A355E708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.697{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.697{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.697{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.643{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.627{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.627{328C47E9-44E3-621F-FF07-000000003602}5648ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Temp\c.bin.id2MD5=5915C1D5D28F27D5282702F205657F92,SHA256=6533ACE3D5E1EF8D7B37A6FCF94F8488E8ADB224355BF9466CA3CB293DC21C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.596{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.596{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.596{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.543{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.543{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.543{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.527{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.527{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.527{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.527{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000049003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:24.042{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65350-false10.0.1.12-8000- 23542300x800000000000000049002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.023{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4761B7EE308AB2C279DAB5F0D7DD1F6C,SHA256=8BB35C61ACA5E546B770786DF1EAD91656C741C91580653B596CADB6CCFE4672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:26.641{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279006F7957692F099556D5A11BCCE88,SHA256=57C0138B318C8BD1E0EC1D4EA7F498E9765802C1DE67AC26BF13CDB8C6683CB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:24.089{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.945{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C9EFBAAE8194AAC627DDA997D568D7,SHA256=719E8318C1C0A9ED12DED714984D8BDFAB3003A196763CB95F0BB0C529966181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.945{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F1E3C00442D853ADDFC0565E6B5A83D,SHA256=7928076AE28E62C016DB95B5FD63C6C582A478EF900D75A06BAEB0944E9A41DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.782{328C47E9-44EB-621F-0508-000000003602}60404264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44EB-621F-0508-000000003602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44EB-621F-0508-000000003602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.582{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.581{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44EB-621F-0508-000000003602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:27.446{328C47E9-44EB-621F-0508-000000003602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:26.998{328C47E9-44EA-621F-0408-000000003602}66325152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:27.656{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642DA555F7F23561220211A6DC4E181B,SHA256=0C3D6A17630A7EFB3758F3AD32FB81066D95904751DFB40D98E05487B0C5A19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:28.656{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416B08F9CC26EE17A78CF86569DE3FEE,SHA256=91FA979325E015EE9C18D11F14D0723F76AB6DDAC1B236E8CDB24BDCE6959D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.603{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB24441D3F6DBF3C9289FD126B21DA0,SHA256=BDE9FB84B5C6937CC71ABF21419CFA14945FA5ACDDB7DB2922EA23084A5B754C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44EC-621F-0608-000000003602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44EC-621F-0608-000000003602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.420{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44EC-621F-0608-000000003602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:28.263{328C47E9-44EC-621F-0608-000000003602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:29.672{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262531D7E38226234C15404BC7373856,SHA256=53938BCD9A60D4DF61DC566C15CAB529B1B0069A82831EEBF7DED9AF34981663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.618{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48C3E73052FDBEC8673DF19BF09B7CF,SHA256=20C218FBB3713122E24637C809ADF1520B6C633B21512E737400290A860C54A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.287{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.287{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.287{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.265{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2255C0EF921791E27C98705878AA59A2,SHA256=DC53B938670694DF1E9659CF9D138D10A5E529C2051B760D68AE8FD0DCFE1766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.234{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.234{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.234{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.218{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.218{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.218{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:29.218{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:30.633{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF7AD16901C30F7AC38863E372A9592,SHA256=F93E706E1D353590CD9F5DE0BE02B553B5789B20B84AAEAF09442AF8AFFB8E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:30.687{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B317924A43302E1BF1C49E7138F87F9D,SHA256=3286BE0B8ED9D6210E2968D373F15C424A6BF7C1A2216EBA4BE5857C7D94DA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:31.649{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2EA115650F8939F7F9850513EDB9BB,SHA256=5D8514EA6857566881453FE52256BD4496FE811BE70266A74D8332ECCC59C4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:31.703{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A1C1BAC9B1CC91EB1CEE7D5E7B7EC8,SHA256=AC47EBCBDA185FF7729527BC7479F99E71421D6F7DFA76D722DAF23F202AEF20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:30.007{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65351-false10.0.1.12-8000- 354300x800000000000000019846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:29.933{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:32.651{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24321F730C1415AAE739F909B793A820,SHA256=E4CAA884569A8DC1673B4E3135BA7D7147F187D9475F6BF9003278CA5498D2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:32.704{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA169C96CEA1A455FB903364F0228EB3,SHA256=AB4595A4A4FDE4630BE88F83E88B4914EA2246830BBA9DCCF4C6F596DD36A7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:32.597{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\respondent-20220302091151-066MD5=430E98715AF7AF3635AF491DD4D57DC0,SHA256=DB5ABDF044C29F4F52A2AE95E41AD07DA17545B9719AB57C70BFA50A5C4AEE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:33.718{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC38B7F595290512C665394992380E08,SHA256=707BD1968114874554D4A0BA91D078D84C0077A6A320F37ACE8398BBC136C71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:33.664{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8AD408D0934DAAA0F7FC1E4917F534,SHA256=134E63819A2DF218AB677B96B246193C63ECA00499DBE5C70B57359AD5054BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:33.265{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:33.611{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\surveyor-20220302091149-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:34.682{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8864A4B9D8D1049CE6694F99CDC575F1,SHA256=0ED937F8BF6F80145EE5DD2A88EB239A4A25DE0FD054239AA89BFF936BBE99F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:34.751{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC11A7B5C90A7CBEC350F0FEF7B82CA7,SHA256=17DAB2AF728EC2AB139C119E23EC6A3B0FBB6A3CA74F4884C3AAA929EE5ED244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:35.767{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC1FF30099348906554643EF228677A,SHA256=67BEBBE726DED253352D99AC9516F474D769CC765CF22BADEBC2798F5FDA0DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:35.716{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE03CE63838A5D74BB77E1A8CBECE67,SHA256=8A4774B97CCD647E1EF0E9CF995512951B63C2A7FA1D7BEA4B2B7EA84E1A95DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:33.222{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65352-false10.0.1.12-8089- 10341000x800000000000000049077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:35.263{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:35.263{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:35.263{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:36.763{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973D178E738FC1AC418BEA1FAD4C75DE,SHA256=04C3D47BB6F522F88F7DCF8ED5E198C2C6577FC0A2E09E2D6C1391D918C96B89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:35.037{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65353-false10.0.1.12-8000- 10341000x800000000000000049095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.846{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.846{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.846{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.814{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DE4519408732E8D5DE7F2B6190AFBE,SHA256=F8BD62F080235D87E70C48F0519BCA039A259B4EECD02D199841E18E57EBEB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:37.017{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BD950DE6B589795B038EFBBA5627EB,SHA256=306777442D4E4F4C0C2682A68D32541A67F85BBBE9D97D6E09C5D99A17A70756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.746{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.746{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.746{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.715{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.715{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.715{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.715{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.699{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.699{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:37.699{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:38.830{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D892B2FE495F6EFD6342B506217A03BF,SHA256=020CFA66146DCFF92C8FAB00995876CE7F1A109602A5A5F33BB03D3E054C6BE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:35.903{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:38.208{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1672EC67F9A68914D54659D2BBCBFA4,SHA256=FC3839C64C2DE7978329002C6A29B9E9CEB40FAEA90C35FF360769DE27B42F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:39.830{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712165E33E50A200DE96DC62CD8CC3F3,SHA256=985688AAB17F1436502F26F2B04F0A813FA58DEDB28DEF38A4ED0868DF0D3D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:39.235{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175D874DEA4434CDDB765934F4649EB,SHA256=1B8BC4E9BAB5F65C2B371DF59B6088991326D6856959331E51B1BB77173CA360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.830{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9C2806C1821EF1E8FF696633BFC245,SHA256=C1B8D8CBA3A18C37388A6A7B5205CF79EC629EDA1716D475BD1765B4268822F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:40.470{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D7971CFF042148965FE35267E6CE90,SHA256=3EAB182DC90A6BF26EBA834A8DD77300CABE35861F045BFBC038D2DA91C13F63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.198{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.198{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.198{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000049098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.198{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000049104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:41.845{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4792B6D90133B521D8B77E5D15E528,SHA256=9C2764F4B2A37BAF883355AD1990C80FF41982764F368FD9EC4192B614420817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:41.696{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB399B4E51B8421E2F7F357193BF801C,SHA256=5A9E30F7724ECAC0CE004F501B25EB8D666437409B8907808ABC3A4106F38D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:40.087{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65354-false10.0.1.12-8000- 23542300x800000000000000049105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:42.861{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F4F7ABCC8005538F14733ADCBE8E22,SHA256=0A565560C869AE5AF1FFC91205E17884D32692252DE6D1287EB48A4BDE916F61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:40.910{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:42.821{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D770432815FEA744E6C64E43E9608C,SHA256=1569561F6FD9E69BDC74B6FFD889CF89AE0ADBC661C5174C3095A977036EAF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:43.836{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427806F26E8C656535E539804FEF7CF0,SHA256=849C2F5B401BCB4CBAFD9AD922C628CE16EA51CC9F5805FB7141FEC4AF7A66B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:43.861{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACB76283E9459118B60ABF895BF9FC8,SHA256=F9CD9DCC0658AC8BCDB005824F4B8C6E12CC48B6F9717C1C73C1AB8A2CACEC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:44.852{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EB94FA8E98A22ACC3ABD61209521DF,SHA256=C84C1678F44658AA933D16D8580B7A7A196B6AC4714268C6126D89D9508D2014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:44.880{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15672A23E6B77E51DFAA4310E28E507,SHA256=6FF01F444EC595095DDB912F7532CAF6FF709D8761D79E4195267DFBFF83ED86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:45.867{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9818EAD88BD49E62A8AA9176900931A,SHA256=DBB5119390054F423665DCF4A55F9892037CA216B14A075BD1839EEA43AF4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:45.900{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF94C9686924FCF442259EB0D7C18B6,SHA256=89CF71F1777095EC1D442F4F1EDF1904C257FA35448F45DA3B24F42F8AF41159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:46.883{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C78728C1ED334B8F475AE14DBBDEA94,SHA256=F8BE36BA318C1C8518F740B8303EF5DE3B0C5DB2982C74324ADD0BA5FB0893F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:46.915{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995F67A17344554AD94D021E593B68CF,SHA256=58514598FAB8316E2C4B7FCFB6276BF00FCAA030CE3EEC66445664BB13168692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:47.916{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DADBB2BE5A13CEE92D2AE9269F76723,SHA256=9CE4F9749E8589D8B178D453C42E8D0948A1A712E78FB33BB419DFE3B2D9E9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:47.899{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8519817F395163A3210B633530C293B0,SHA256=21BA8DA48C7AA2078034A7FB35BCD00893016746D2A3792374E45B5E468D5872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:46.052{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65355-false10.0.1.12-8000- 23542300x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:48.930{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB49D888ABBA521627E59E52B3612E2D,SHA256=2113166B2B569DD0F43686A489A583BED74C444FE7EF202CF7FB4658F827EFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:48.931{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CDF30B6120AEEEC51DF65AD7365605,SHA256=D68B70F1E3A4B30B779088038D5D853B2C04123066E16C91B2C120AB6635B685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:49.934{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDBED1EEB0B603C597D238694E7A342,SHA256=9B644FDF7671013EABBC4B4C661BFBA1E3F4C38F02FD297B006475422E488226,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003f413c) 13241300x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0xce40e36f) 13241300x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1f-0x30054b6f) 13241300x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x91c9b36f) 13241300x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003f413c) 13241300x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0xce40e36f) 13241300x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1f-0x30054b6f) 13241300x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-SetValue2022-03-02 10:20:49.914{0B31F0A7-34D3-621F-0B00-000000003702}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x91c9b36f) 23542300x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:49.258{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3127F63296AD21A48333B5B10536CDBA,SHA256=F77F952FFEC4D3964F468A75514D896DB230D36BEC0F2FDD8F49824BD2F8C729,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:46.925{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:50.934{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B64CBDB867EA7F8322E4BDD7AC3701,SHA256=E6EF3BDD801C2896401E11682C0B76F441D7769228D8AD47B9E1518A08A813AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:50.164{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5500D97F65CFA8D281CC53DBF175E14D,SHA256=0F2E9A7C3C343D3664776C3E16C2F19F75E9F62B2A96496004546772724B7663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:50.919{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:50.919{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:50.919{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.936{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A5862BF2CFB1632A7DD4626CC180E3,SHA256=443F400D532E376504A0504A4E04B6C0D081146DF1F854B684B11AF663DE276B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:51.258{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDDFA08E4C41E1D92FED731916E82C3,SHA256=5933BB3335F53E2F2455BD9A536B309AC337C34459D9D6F9A6A6429531F8D0BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23083400C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.819{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.951{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5656DBB8AB0314D7156E00A7366699F9,SHA256=3C6F12AC10B04456AF5E55AD374F397D00BC91F2980C65E40BB4B55750E09C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:52.274{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50AF8C461E25E857EF89BC2B83E54D8,SHA256=601589728C245D43EAAC2BAA090DD2FB6F0246D13DC88CEB5BC69BCDBD7EF631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.105{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.105{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.105{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.089{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.089{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:52.089{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:53.966{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EEFA3CE1DB12F09B7D3C2A5BCE9CD2,SHA256=1BA0619CA0DB6B86A6AC01B18C9C277CB7B47654CCF0F62D2FA901854AA1F95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:53.336{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20ACC780C2E615D8D192E12E2931629A,SHA256=36AF8B95746D80BA26118E53F84C944B427753D66CD198C14C8169FDD939C6E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:51.139{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65356-false10.0.1.12-8000- 23542300x800000000000000049142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:54.984{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0900703EC9CCA608FFC4127E42ADA034,SHA256=FCF2A1203A65BD0FBA92F5A7292BBBEA1FB773BCEABDAC3C65CB49AB81FC5A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:54.336{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFA46EE7D0EB16AD4BC95F1FDC0629B,SHA256=CC58C705BE4EC6057F558B0DA90A52237256E87C5D21B046A83685C95331F8EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:54.350{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3C8A-621F-E206-000000003602}4368C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e39b8f|C:\Program Files\Mozilla Firefox\xul.dll+1159116|C:\Program Files\Mozilla Firefox\xul.dll+e3668d|C:\Program Files\Mozilla Firefox\xul.dll+e1aa10|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a16a51|C:\Program Files\Mozilla Firefox\xul.dll+179e510|C:\Program Files\Mozilla Firefox\xul.dll+16d8cea|C:\Program Files\Mozilla Firefox\xul.dll+1bdb94e|C:\Program Files\Mozilla Firefox\xul.dll+1bd226f|C:\Program Files\Mozilla Firefox\xul.dll+179e731|C:\Program Files\Mozilla Firefox\xul.dll+16d8cea|C:\Program Files\Mozilla Firefox\xul.dll+1bdb94e|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1886497|C:\Program Files\Mozilla Firefox\xul.dll+1ad5851|C:\Program Files\Mozilla Firefox\xul.dll+176b743|C:\Program Files\Mozilla Firefox\xul.dll+176a375|C:\Program Files\Mozilla Firefox\xul.dll+11c9ad 10341000x800000000000000049140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:54.350{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:54.350{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:54.350{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:55.570{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214E664F3E57918F6370ED9D081B4FAA,SHA256=B44CBA77C8BADC0FD66EACC8F1B70910ED2841ECF13342D25DAF1E60E8D29805,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:52.925{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:55.166{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA2FD869D96A8D10650F783A93F8E25E,SHA256=F746352B9B06695FE0EFB4EE1A5BC7D2C7DA1719863745BE2F0023F6A8240C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:56.602{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8102CACED758F3EF19E10F156D06F09,SHA256=3927746B36B47DFD33E8845501956D587DAB99E57CA915A5AE54776B5B086B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:56.003{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AEC7E44DD8BDC83E3A8E5D39E5A625,SHA256=E140A20F7D160119B2AFAAE6D30B0582991648E5D38CE418DF5AF547BB695D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:57.680{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DB5E505CBF9E17694014E7445BA3B2,SHA256=E0C61CBDBA3B8F0417056E9ED4D679E49CAE27C19C89557BF393EDF153B21987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.888{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\19028MD5=456D5B8B15FDC701649A2E96DEE5FC92,SHA256=674FB78A26F6FEC096A4675519403D4A1CE30122CAB945335F125972B0F62511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:56.392{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local50734- 354300x800000000000000049146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:56.379{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local51553- 23542300x800000000000000049145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.003{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7540D4B2575530A189C23DEE0F5527F,SHA256=3636ECF908ADD1FEAB320BA0EA34AAA956205BDA4284804942AE06099CD6C7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:58.852{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD8E7F07FB8B518EE7BFF2AF3C905B0,SHA256=4805EFB69E624A35A37457B6971D59104877DB7DCDB9292554DA692E0741A89F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.412{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53161- 354300x800000000000000049158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.412{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65306- 354300x800000000000000049157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.411{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65358-false104.84.120.101a104-84-120-101.deploy.static.akamaitechnologies.com443https 354300x800000000000000049156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.409{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local51826- 354300x800000000000000049155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.408{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local61507- 354300x800000000000000049154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.405{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local61427- 354300x800000000000000049153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.402{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local61261- 354300x800000000000000049152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.402{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53378- 354300x800000000000000049151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.139{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65357-false10.0.1.12-8000- 23542300x800000000000000049150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:58.135{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\6426MD5=CE5C181FF598DE968E162BCEC7126D8A,SHA256=2FE5DDA3EF059A15BF52889BC871F269D753E2A1A9EF1047B8A2E04362C2E037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:58.003{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF2D789CDDDFDBFF623A8733028290F,SHA256=DF9DFF2B9CA3CB150AD16B7B9D37C203A8683F925724B437DC1B5604195D84EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:59.967{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\aborted-session-pingMD5=FA07027C6B36A70CF1BD957CD338B1FD,SHA256=01C0D0137F0F0D7E80B591F2D4961EC5F21AA7F382E72C9D226AE22B279496A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.946{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65360-false13.107.246.45-443https 354300x800000000000000049162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.946{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65359-false13.107.246.45-443https 354300x800000000000000049161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:57.942{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53929- 23542300x800000000000000049160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:59.034{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B759792ACB6AD1C1B51B5ABC16172BEB,SHA256=E18C6A167F738A6A5F3C98DB3C69B0D39FB8A6AB1E492784551453F6874D21A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:58.956{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:00.055{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B75DD7C315EFD9BC8C49B064A026924,SHA256=2E26001398E56CF0A28E509A4EA295FA15A620F24314E66B71C2FBFDEB74E045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.286{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:00.049{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4194483AB068FE234F33BB15D30D9A,SHA256=6B9DCD942AB5DC9BA443874E72B941A787E5B056D89D48C973958DD97C581998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:01.076{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BE26D9457210A1739BB3B3252B6DF,SHA256=9C7D222F592738CD8A23E42CD562CE2993ED041F4C01D5649D56479F774C735F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:01.060{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D60A439347AC5189D737A4B97E9B82,SHA256=7A5BF4B3A8A1E60F7CF55D28426ED3D1FFA39F5E2F49BA53C1C8A4828BD8BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:02.444{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\17239MD5=3E2E00269F4489BF3D806F57E2897D95,SHA256=481F63E0CA7FFBDF7817811140F126D427275F53A54066E3C2AE740FD65C6B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:02.444{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\11274MD5=9DF40C843C9698DBFE09E11B7DC0745C,SHA256=E30F6A027BB56FB3740F5E312A754F0AE9D958538BC2FEDAE8717DF0DA6AD4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:02.444{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\4182MD5=FD7A2645EA579DB12485573B02069CCC,SHA256=1F08B7F4993322BD9F55B2B0403E58ABBB2E9689A967BC5D8B1CD74DFD33D0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:02.444{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cache2\doomed\12036MD5=FF009EDEDA32B0497DF92D9B48A0F2BB,SHA256=4CA8F34933569A63E9BE3036029D41F26BE6675754CFAC2D5D07605B9869600F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:02.093{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B391878A4A64A623787091F38B5A7A,SHA256=FA53D45C897CF6793750E1E1FEE02803682D5E2FFA7DF49DA2CB7FC80183DC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:02.075{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4663F3C980BDBEDB737FA522674E9D0,SHA256=FF9F3C48E193143DC1ABEE69640C65683AF3689548BD8395EC5A44C14BEB82FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:03.091{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE533152EC52313A4124FDCF7D9CA620,SHA256=071F489CBC414AA64A7A1D7086A588554EAC249FA1CED56040FBDCBC81A1B9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:03.112{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC136B64874BAA877E5DA0131899E60C,SHA256=C25BB53C6E217632B7531D8D6FA9C9BE43F691FB0EA515438AE109C2A9CB6EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:04.106{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1278D5001BF8F591D46D785B3A0FBF10,SHA256=3DC664079135B38A73E4EBEDE5FFB6FFD8531784A6FCEE7CEA0B8D4CB3F85D60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:03.048{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65361-false10.0.1.12-8000- 10341000x800000000000000049183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:04.793{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:04.793{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:04.793{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:04.143{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66DF1E3C8CE192AC2522706F76F3D9B,SHA256=6A3F62218D69AA17C501E05D36AF7E894BB9D6E5A499FE156594A20804B7A410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:05.263{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-075MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:05.159{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B81565511C3AC88DF40A2D567B6F8,SHA256=2100F92C94337A30756C27D93F76ED5B57C0515FF5DFDE4F1D22F69D6A2DB9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:05.122{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272484E7D4DD7D3DF8E0D2E163085C9C,SHA256=C3D00A5148538CE2315F12CFC6D00B670E83494050941A8D7596E69E27A8DC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:06.275{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:06.174{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E882D690DF8AC3D61EBCD0CFDC92368,SHA256=5CC7942C11B657020B41A8796B33B508398AAA0130B4A43778D56CF7F78E8C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:06.138{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0282B884A0CCD8800385176569B931C9,SHA256=D200A5C840590B839091E35E1B0EF138FA537773129FA9811033E38545B59FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4513-621F-A205-000000003702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4513-621F-A205-000000003702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.950{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4513-621F-A205-000000003702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.951{0B31F0A7-4513-621F-A205-000000003702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:07.372{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FBA8AF9C1A78921F809CCA60325934,SHA256=109CF4762282B98E824EB102361C8253FEA60C3287DDDB03C8F3DA2B454639DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:07.211{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F76B61B21070D859029F16C76A27FA,SHA256=CBC87F6471EA863695293B42108473F02C67787E847778C3315948EEB9D1BB53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:04.945{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.903{0B31F0A7-4514-621F-A305-000000003702}2608720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4514-621F-A305-000000003702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4514-621F-A305-000000003702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.747{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4514-621F-A305-000000003702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.748{0B31F0A7-4514-621F-A305-000000003702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:08.591{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC220FF2F913AEF296AE1D552236A2C,SHA256=6537E9FDF8D1D28A45EA2F8F9B7C564CB73B40474D778B6F9FE79E308A9D7A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:08.226{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C89245DD52BB2A30CEF87DB150E77D,SHA256=11D5B642AA9F44FA06FBFEE0C5BA07E8C044A3C9AE0360E0FB20F4ECDF6D71D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:08.199{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65362-false10.0.1.12-8000- 23542300x800000000000000049191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:09.241{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD25D598A4387CC6C3F6EEB49CEC8F8,SHA256=316EB579854AA6B106E22778F00AE8EF8E80BB1332857DA5BED583A272BF574D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4515-621F-A405-000000003702}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4515-621F-A405-000000003702}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.419{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4515-621F-A405-000000003702}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.421{0B31F0A7-4515-621F-A405-000000003702}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.030{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE45E8CAD56CB8F2AE9F1F41391C297,SHA256=19A698AD1A86D2A7052A9786FB6EB4FE90E4ACD1D0B2D67ED3B257484A8CFAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:09.030{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681837E95CCB83903FB4851000233B04,SHA256=2ECF4D38DFEA269D03AE7D0E7BDF61E8BB742B6A4EC04EF9312F3AB438E02FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.466{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE45E8CAD56CB8F2AE9F1F41391C297,SHA256=19A698AD1A86D2A7052A9786FB6EB4FE90E4ACD1D0B2D67ED3B257484A8CFAE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.341{0B31F0A7-4516-621F-A505-000000003702}2161284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4516-621F-A505-000000003702}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-4516-621F-A505-000000003702}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4516-621F-A505-000000003702}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.172{0B31F0A7-4516-621F-A505-000000003702}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.169{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974DCA14FC9C587E10BABFA7C725C129,SHA256=06072FA2C0DEED2728D1A3D28AB9A55D3CBB84113B25CAB2223FA7C0311D3AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:10.256{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B97297C0EE5EF84586D14227299EB7,SHA256=4EFE0D0419511CABFC9EA73185461E5CC60C302728F0BEBA593EC34072CA7E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:11.271{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC490FCEC675DBC52DFC5969B46EFEA7,SHA256=8858EC92A66EEA186040EB5DA31CA794AEB0315C7F7E3C942F2A8A282B12D7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:11.184{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81D4CF0A720278105791FCA9AF73A7,SHA256=10DB9D8CF541DE07BF77D417FD7CBF74D91EE16D57FE7669392220E4D9459618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:12.289{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA1FAD2744DDC843A865F4AAAD48493,SHA256=204C0DD0107568DC92C158F948B81B3DE31DC20DFA3ECE1326615F74F3B1C792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.966{0B31F0A7-4518-621F-A705-000000003702}36762936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4518-621F-A705-000000003702}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-4518-621F-A705-000000003702}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.762{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4518-621F-A705-000000003702}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.763{0B31F0A7-4518-621F-A705-000000003702}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.278{0B31F0A7-4518-621F-A605-000000003702}36803660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.200{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF136AB6AEA80CC86455100690EE9A7,SHA256=CB7678BC2E0401A15191904E19D1090DF2557EBD25CBB5660FFD511443989772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4518-621F-A605-000000003702}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4518-621F-A605-000000003702}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4518-621F-A605-000000003702}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:12.091{0B31F0A7-4518-621F-A605-000000003702}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:13.293{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F0587D1C87E87C84EC7B28C5624962,SHA256=FF86C49CB3F0A474CD52EEB7C4871364373B0F9AFF3E2642939DA09DAD1A1EEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4519-621F-A805-000000003702}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-4519-621F-A805-000000003702}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.419{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4519-621F-A805-000000003702}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.420{0B31F0A7-4519-621F-A805-000000003702}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:10.930{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.216{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBADFDA2BAA40EEC9324E05CA9A5C0A,SHA256=BF53DB93B51A7005784FB2E44536170E3CAF219CB54ECFB278E6415A8CF56454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:13.106{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC0708DE055228BBC520B7250D238D6,SHA256=8BF6843DD15102F5E7D4416042962A5E1A5CA5CDC2BCE8D53D42FB5DC04EF61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:14.466{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DBF1BC3BC80BC92D0C809200504A51D,SHA256=221453C62D888E91F508156D95E3A76E664DCAB9E13053743FCBBDD400C48C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:14.231{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD38180FC8493B90EFC7D6CC51B4B5A,SHA256=CAA01B6DDEBC92E9E30E1FC42EFFC5C3BBCC6293B445C36CE02F4F42E6089BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:14.309{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFBE3D01F588CEBCE2FE5F71E414B35,SHA256=965B9E9D2EB3665FC7F5BD6701EF86F67167790017D688AE72BB10881726DC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:14.164{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65363-false10.0.1.12-8000- 10341000x800000000000000049212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.956{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.372{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2FED8D305B6D2BED73106E974DFFDB,SHA256=659757986DE20730535BD3D40468580FAF1997B2B344CE1B335002723C2187CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:15.247{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747546BE361EF4E73E438125DCB37FBD,SHA256=88ADDB0154EB0C5810B7A2B02AE2F9D8D6E458E71E62E561D16611CB953A8E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.109{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.109{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.109{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.056{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.056{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.056{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:15.056{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:16.374{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B0BC185CF210D50D4E044BD27CB26,SHA256=A7F39B08A53A0B7C0C1095F5F206BDB2A0201DE72D6C04ABD0C5B1DD513BF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:16.262{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373BD113269B96232A3AA8E0B80364DB,SHA256=079B4C3CCD14D16D1CF083406F18CF912CAA1C99D2209E2E73A5AFD3303AF915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:17.376{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC429275712A05F82CE6CE9715207BB,SHA256=6C8FE60DF669C4F8D00BB75BEA6F7ECA2161DDB946D6F353874C0DDA2E20B8B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:16.008{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:17.263{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CAF6D54FC178465A9BA8E4C539CC95,SHA256=DEAADBCF9F1C65A6B8D8258A3A7E5B17B7D873884F7E600A6715D87FFCF45B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:18.394{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B7A9DA6B77B7954770B86324BC209E,SHA256=240DBBC5E1059AD14FCA08C2D3BB37B1C5A8F690857BDD1885ADD1DAD80C5A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:18.481{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6312482EB4B7C6516B3F12E8325F985D,SHA256=347A9E6FDDE2409C507E4213C4D3905A30C81E317163EF36DFA352D461F613F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:19.716{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E48FC44F99968AA34C2DE6DF9D7D4E,SHA256=7F09EC1C18902752C0B50245F21DDCF36E020B3FF36682E7324C26F226864CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:19.413{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5418CF6009BECFA2AB4957DAB1A48A0F,SHA256=6F59D0F07B95BB6D2F31A18B8F2DE530431D5592C9956856D2A8B8703D0ED8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:20.943{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033098D4C6E9CFC35301AC84E40CF441,SHA256=64D444870573D06D5F1A022FF3E7A05DE2C56064F84AC0E4D6D9DB886FBC21A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:20.413{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68E95685101238C948B63CCDD8C5635,SHA256=09455ABF61EE315E4FD39DBA9101F7ED4A8F7BCEA91A06771C399C8607707FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:20.200{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4521-621F-0808-000000003602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4521-621F-0808-000000003602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.943{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4521-621F-0808-000000003602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.944{328C47E9-4521-621F-0808-000000003602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.443{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E7C50290468BDD3323FF1247CE730,SHA256=17FCB4339BB9ED489E9829629142F1643D18F5D8820C7646495547DACA82A977,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:20.027{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000049226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4521-621F-0708-000000003602}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4521-621F-0708-000000003602}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.259{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4521-621F-0708-000000003602}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:21.260{328C47E9-4521-621F-0708-000000003602}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.874{328C47E9-4522-621F-0908-000000003602}52125136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4522-621F-0908-000000003602}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-4522-621F-0908-000000003602}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.611{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4522-621F-0908-000000003602}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.612{328C47E9-4522-621F-0908-000000003602}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.458{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC9C3E321C4E80EA66216302CDEBE48,SHA256=C7FCDA0112ACB148703EF0408B7FCA3CA46E58AF549AC4CFAFCDE61B82E51ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:21.064{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:22.178{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E63A5D356E587C429BFDEA2D852E357,SHA256=21058A80AB396594E24DF6C4D2FC9E0399CD7F1B05DD30EFE1CB8423E7185225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.274{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B470887B850D5E11E06F1011CE85892F,SHA256=02A679C85D8205D0759CA423DBBA88BE30DD0B76531DCF9AC87AC82ACAAA716F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.274{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC16FE3C593D11D76DCD83F511DE9D09,SHA256=128746EB7D82833E3DCE910A71246CB394B21F0F41BD9A190A1881642CAB4894,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:20.117{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65364-false10.0.1.12-8000- 10341000x800000000000000049258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4523-621F-0A08-000000003602}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-4523-621F-0A08-000000003602}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4523-621F-0A08-000000003602}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.812{328C47E9-4523-621F-0A08-000000003602}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.612{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B470887B850D5E11E06F1011CE85892F,SHA256=02A679C85D8205D0759CA423DBBA88BE30DD0B76531DCF9AC87AC82ACAAA716F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:23.474{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E008AC0859207E4DCD650DCECA818DC,SHA256=043E54427391CCAAEFCE1C0C1F98103C0AA6D74278131376811DF180DF3B567D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:23.334{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D590290BB1EBF4D4740857187056758,SHA256=B51EA991242BBF51C5DFC971F58967901FA9E4C56C869237BB6D908D09FDC256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:24.812{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34C8717B126F67FA5BE86F76CD29374D,SHA256=682AFED5C8868BA7CB77CD5EE85F00070D671FBBDC714B203AE4D3F3794121C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:24.495{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5630834DDAEBC169FD35B0ABFEB5D5,SHA256=94DE1B36CF9FF0AEFADE5FC99BBE680A60A0EBB4E5DBCA05FDB56F7A7D2270AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:24.350{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEFA0D5F33D609650FA50E23462FCF9,SHA256=B91780847C8161FF520EDBACE457EB28D9F0E2EB8467F4152A729C57C2F86712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:24.011{328C47E9-4523-621F-0A08-000000003602}58923328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000049260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.216{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65365-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000049259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:22.216{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65365-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 10341000x800000000000000049267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:25.846{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:25.830{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:25.830{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:25.513{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E12F57504ECFC6E65446FFAA3AC979A,SHA256=D146E69E8B280B6405C617A64590D07478D0B5F2F263B82EE15435CA0B4D9992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:25.365{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756134687E5A499F2FC27982BD4F816B,SHA256=E0899837430DB67BFE6645B3A3A7A4E5BDA24F451BC9EED66B487747B8D81462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:26.381{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C594C4975084F3AF02E4A5C752519A99,SHA256=CE7F4C13CF53AA492D0C0E7EBCD3C913CC139049369AE3AF7E58DEEA40D5C3A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.947{328C47E9-4526-621F-0C08-000000003602}51567760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.699{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4526-621F-0C08-000000003602}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.696{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.696{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.696{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.696{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.695{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-4526-621F-0C08-000000003602}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.695{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4526-621F-0C08-000000003602}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.694{328C47E9-4526-621F-0C08-000000003602}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.515{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D131E3C89FDCCC93637C3F2A6288E56,SHA256=850F62C6A3326820C35B3ED2254E8B9EFC89F8BF5A799485E0F0B61983AED1FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.262{328C47E9-4526-621F-0B08-000000003602}81167188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4526-621F-0B08-000000003602}8116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-4526-621F-0B08-000000003602}8116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.031{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4526-621F-0B08-000000003602}8116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.032{328C47E9-4526-621F-0B08-000000003602}8116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:26.096{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:27.396{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F078E6923F736001F9D52A35E803CC,SHA256=C74981AB5DC3058A827108710C76E4359B808E2891C97739DADB340449684CD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4527-621F-0D08-000000003602}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4527-621F-0D08-000000003602}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.664{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4527-621F-0D08-000000003602}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.665{328C47E9-4527-621F-0D08-000000003602}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.517{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC667B345F21DBF773210C42256A29F2,SHA256=915787DD1AB210FA6AF72C5E363C6AD82180F84FB03815DE1C1544ADBA525C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.032{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DB86BC571D31DDBDB9A25ADFB9759F9,SHA256=64B14382FB3C68C2982DEDE0589EE7C4482DBD49FD1A8C814BFA0B03A17225E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.666{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DFBF02F031EB9FA5195DE77A6D6CABF,SHA256=F203C7E3F093FFC12828CE4149082016F55CE40B3C218CDC58F9D106F0CF4254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.534{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85C7C3E6675A5A847F438B0E44E863A,SHA256=A01F4D7C51C910582DA97D87204595A7B1140315A8399810E7DA9936DA01B7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:28.412{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A12FA34849640FD3579F6DD169E0AE,SHA256=966EA6438EB9E9B54629FC8D8382D079199FAB8FF36EE55E6EA844DFF7E22CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:26.151{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65366-false10.0.1.12-8000- 23542300x800000000000000049310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:29.550{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223DBE0976E23BA1D48AB46CE967037D,SHA256=AF757D40C374CF7144462FC0F96D61C50F25F670A706F97FF63C6E81C63B220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:29.428{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773369B4A00B2CE86B10B43DF0848B2B,SHA256=DAB419D15443D1EB872DC7803DE873721C34E733D69740E6D9961D9BB8D8D0AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.249{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65368-false142.250.186.106fra24s06-in-f10.1e100.net443https 354300x800000000000000049308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.246{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local60378- 354300x800000000000000049307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.167{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local54507- 354300x800000000000000049306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.166{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63061- 354300x800000000000000049305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.158{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65367-false104.84.120.101a104-84-120-101.deploy.static.akamaitechnologies.com443https 354300x800000000000000049304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:28.156{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63995- 23542300x800000000000000049303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:29.419{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\permissions.sqlite-journalMD5=44C0342AE401A3123408475076B68605,SHA256=F03358773A5EAC03B8F3F1F73A63093638F65157F7E867EB4A1DE7317C0FE8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.927{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local59889- 354300x800000000000000049301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.926{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local60443- 354300x800000000000000049300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:27.924{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local62269- 23542300x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:30.443{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21731DAA6016669F2DDB051073201033,SHA256=98DE5F89C4AFDE7B5F6C284B2FCF7B9A086248A16ED0DB337AAEF1B6B75FF72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:30.550{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BC88D54B3295E1B30F2A0F4768DBAB,SHA256=B04D85E43A0D50AC5043EF31562F67186B82E9EB66237FF042BCB45E424F4994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:31.459{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4943A78C7221CBA6D6B7BB995E1E4,SHA256=9917C93E880702C96F89337BA5B235ED4397F56BCE098762F88D3F4618515CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:31.551{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4A7BB37A1D60DF7D559E3121198027,SHA256=4AA86EC065F938460C9C1BE41ACBE6802A2C6660ABF0F8C33D8532F0329F8485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:32.567{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775BB28D73B57FC331AF24C75904CB38,SHA256=C16014D4E9A256E123336910F3F7DB6D0F09D2E3A10181DB97766D1703CDADA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:32.474{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCD558CCF0AA7DBEAA898B25F6F65DC,SHA256=C62D195BCB40730D6866FC8B9E10F6A5896995FBF482C5FB6F8EE472F0324D14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.935{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.583{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886162A774C72D2079A77E31559D334D,SHA256=E0C30DF55A3F35783403B3627F7F8A51457752719152126DC6547F3EC0F4740D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:32.095{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:33.490{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F32FC7D726BD9064988B264ECCE938F,SHA256=0F5A6625342E4548339B8CE70CB22CBECEEFEDD1A6EBA0A1F7EE5A6F7DFEF73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.283{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:34.503{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C317FA06A08D9E2F043BFB79E36064,SHA256=5A9B7D1D2F0542427CB5C8340089601AA5634740E7C79540C132E8586E2D13D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:34.603{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F365AE460BF47BE69681C793CF1A0A1,SHA256=DD43F392F0F15473DB28E8FE953E16F1F038D22229B3C8F95248F4FD52D2DC63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:32.124{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65369-false10.0.1.12-8000- 23542300x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:34.134{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\respondent-20220302091151-067MD5=430E98715AF7AF3635AF491DD4D57DC0,SHA256=DB5ABDF044C29F4F52A2AE95E41AD07DA17545B9719AB57C70BFA50A5C4AEE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:35.516{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FBA4D1373C4FECADFB25DF30FFCF71,SHA256=0737793A3FBCF401C4D7C0E373BA43E2475C1D3DB9931511EC3B26A8E4E151FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:35.619{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C96D5EDAF621442BC3BFFCB2DF8EC0,SHA256=91A3D0CA2A8A7F072191B66DB6C2E59C882B7FB61E4F97C699914EE04CB6E3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:35.143{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\surveyor-20220302091149-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:33.241{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65370-false10.0.1.12-8089- 23542300x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:36.518{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C446299EFBD796C0593F60CA7EEE259,SHA256=A9C66001D554C2A2FC385DE6C14AD25284F4D6D3FAFCE575DEC00C9B9F0BC9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:36.634{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD8BE46D316E2FEAB3025663CFB65A0,SHA256=47579B797E45E3273B19E8E7171A7DCECDA875A2218C06B13F1BC35AB911BAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:37.648{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD954F18B7CDDEF8D67725B92221D56,SHA256=9D2155DC3D68E1D298AD440ED929DD0116CF81E68EB0345232169E1A83F5757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:37.534{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A476C48E7A3A1A714A5D9A444F211ED,SHA256=287C3A40C4AEEDD44D0BFE484E24ECDBD117A3BE46EC8E977667962FF5C50D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:36.040{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local54168- 23542300x800000000000000049331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:38.663{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AC645A7FF870FF339F7AAB7D3E207C,SHA256=8D7E66213535515287A9F851F3AF9A63542AC52417DFFA500DE7B26C397B2762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:38.549{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0286335F85B85DFFFDC7F638D4F99D5C,SHA256=CA60AC6414248A1A629AF756CF1AEC62C333D79A7876589FD092FF4DE4A24001,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:36.042{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53718- 23542300x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:39.565{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F88912D9D1FF6943DBC67F84DD578A,SHA256=E0B17C3C94FA7377F9FB82EDFDA7FF679D6E781B76DBA8017002F7FA8F38BE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:39.678{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA5E7B36544F594F61E81F7F4671F5B,SHA256=8A052EA1A687DA1CDAEDF4C9FF8B06055EC70069E782A5957F4F31AFCEFEFCAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:38.105{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65371-false10.0.1.12-8000- 23542300x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:40.612{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E238B1BCFA7846F9D42C394B8548D6F,SHA256=550180724D9D547123F80D58B892D7E29353299FC808F07544F28D16A12187AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:40.679{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889211EA0C5423D65972D7A30139AFD,SHA256=488EAE052B825A0DEE5E004294F218C8D9475E8C6A9962890F434625F6582948,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:38.046{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000049336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:40.302{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:40.302{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:40.302{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:41.844{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B78F933E982B843802D8560A8EBC4F,SHA256=77720BE2F23B4CFFB24052915177611CF91C99A974847F7883664905D904C35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:41.679{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA13CF3660F28E7EC00E87C64CBBB9,SHA256=D0D3B3444FE0C57BFAB54375BCC0826F44A6EAA1F3CAF2C6D6467829D292A61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:42.697{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34E2884A5A8F86D85BDE1BF89BF3816,SHA256=76EC5E9D32C7A57455EDAC0EAA04B322B10F2F700D51B9251B7D119FD11E9DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:43.715{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56A50A80FBCEA791045BC89A836213E,SHA256=717CEF84811B8170540AB032A936A475CA1069B2EA00B27C1EC70A9AE3AB329B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:43.062{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A88C2FD713AA22C7877EA78C2FD7D,SHA256=6AFE3BBADACA0E266489C0D29DF2E368EFE31DE933A04A43A5D13ECB2A38C04A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:44.730{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E8EA97207F62C912305E19AB4EB8F,SHA256=CE0D9B731688429A8399B0DACA346F8CDCC2B1FBAF5F1C902B2F1426BAB95CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:44.094{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D95D4D1CE148596B0255C3D0A422058,SHA256=92625C4CBB0EC4DC7C14E4891AAD303882F57C62098D14A2B58A28E736D5F4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:45.746{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A1A88762E1FB6260A972365167DF3B,SHA256=BFD505F521C6D3814239100751DED76F6E586D5D761BE32BEE73AF655FE6A74B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:44.026{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:45.172{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61E8112DFE95B2280F90D39D51AB797,SHA256=6FB0C3D52017ADAD2B16CCA2ACEF107DE68719AEADCBAB66EAA0103515553692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:45.361{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=503F4105CF3606A0A1004EBF90756F19,SHA256=5D5FFE56E3A7161BCD0CDE7E74AB5793CA4367988A20F70CD54F51661BCA535B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:46.761{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87EFCF66EF7CEFE7893163A5660532D,SHA256=413F88E9EF4514025197DE5330CD1D20BBDCCD177643620467155C191757372E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:46.203{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD500DA49B27AEACAE95DD23AD601FCB,SHA256=993B020C2A11E1881C5198D3B9D33A60FF2C145A42A3D020BFAF7262EF4FE9F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:44.088{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65372-false10.0.1.12-8000- 23542300x800000000000000049346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:47.776{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9935536CE0E5F80F93BB2187AB7D584E,SHA256=B5FF76B740F3653E87879BF3FA956B14E0AB45F91D2BB27990B5F798B3A6E44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:47.219{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4337189484CD90A879E66C14154D3B,SHA256=4953410742474AECD457B2AB3956BD8532647DD55E0DC9B1091BDBFD9EE83E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:48.795{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D039DCC1AEB2C818F349AD48C906495,SHA256=CE8CAFACBA54618F3240D7E4C7C1396601A327B667BEF3C2DE22254B01313D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:48.297{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA19BC874B48A95A7B41AE5FDBD0DD3,SHA256=81A10FECF9A9AD0C95EEC692418EB17C12ED0691033A976D6E5CA0AD66F5BA1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:48.129{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:48.113{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:48.113{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:49.813{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C425AE290BB3C6DEFA1E713231580C,SHA256=E534BDA4A65A06716FDF90839DDDAB9EA47906D4DA049AAC78AE2B34A09B85EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:49.312{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF4DB7BEA50BF0EC0573DCD3FE0478,SHA256=3B1DD58657A654C5E8FEF45CD27C0C1D56F6EC820AAFFB2E604F7C2277600E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:49.265{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=474C17F603D4F7A5D45DFCEC80046E3E,SHA256=CD03CFBE62E30D87A8480A260650E816D5046A5373667DD6415114D3D42FDEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:50.828{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F65DB6FAB912F930F7EC71900A0E5B8,SHA256=DA993225A064F8F29463E919179C543873867DFFCC3DCC6F7321D0FCE0EC1EED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:49.058{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:50.328{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881431F41D774F6D6AE7B026EA3E29BB,SHA256=3708C29507A7EB7580213D48395AB4DCF2A21BDE6E19DE0FA28A2F94B9B07AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:51.858{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB0FB20BA6ED32FA11EB1D807C9B125,SHA256=7300B6652CA4D44FF390D5D7A41DE9C8DEE0846F0DCD857857214AABEEB90EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:51.344{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E963531CB0910C77815DEB18377358,SHA256=FE93C4AD1C65332EA9851FB7EA3F93249E7AB25331B3D85DD8EE92FE28B1E53F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:50.246{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local54374- 354300x800000000000000049354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:50.234{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local64731- 354300x800000000000000049353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:50.064{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65373-false10.0.1.12-8000- 23542300x800000000000000049357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:52.859{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF967D00F1BE7D6880928FE037842DA4,SHA256=1EE7C5409A67C4426409748AACF78D0FD642D506C76059FE75DAA51C42791A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:52.579{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CE415D14DCB7863CF9038983D67E84,SHA256=744FA084996E2F4E639D2AA15F1DB19F92B9571DDEB1EBCC3096462BEAAA58B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:53.657{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4EB8CFB20285A26F02C7DB07C4DE34,SHA256=80A5B58DF6B865140C128C8D2A07403F3F4890BADBAACF509202581881F94E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:53.859{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FABDCE51D7CD2C576A1424B33DDDEF,SHA256=C9D22DDAA6FFD48A28E372CACA8973AC484D3BA4631D402797629BE45A3D6168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:54.861{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52296A052BD64F76E602DB11206D66E7,SHA256=535B3165281CDF187E2BAA411F11FF54AB18AD3230CFC5189BD6EBC32D2793DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:54.767{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0069024F25464D535CD30C9853A262B9,SHA256=581041DD2A4DFC898252F90557CC383AA3906510A79BD696AFED0CDCEDB9287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:55.896{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31222E1A5FCB1BB810ABA03218A56C,SHA256=1B1FB045C64D147BC37EA5A6DCD86F61EEE96E55E84D711C728C2CFCF842A4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:55.782{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E7AC1C97F6759DB6CC7F9655097E8C,SHA256=324FA64AB809AA9698E06CEFA089D7A87F7CDA15EBC3B5C9730B3FD041FFBD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:55.176{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F5FB648CCAA76938D5604928F30C0DDA,SHA256=FFB25667AC03227D6A4DF487C592FEF67953E2EC0DCB69512CAD5D48A6821E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:56.922{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B69ADA8392D1A398CEE5569FB540A0D,SHA256=106804E9798CAE2C15760ADE2C1DFBE214983DEA2AF187CA2CAD818F452E6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:56.798{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D524089EAC3C83530DF0C017011D8EB,SHA256=3FF63511DD69335CB909B203A0117B1DA21814AAB65A1B1CAAC9D6AECC6460CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:55.059{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:57.925{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD413E807D0D0B8FE4D7BA779ACCD23B,SHA256=FEB5D80EF37165F2D04ABE78C63760B55763CACEF06AF5DE0A85C1E433B45191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:57.813{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C19F675E1FEE94CDFC8D3A709C864FF,SHA256=C5F0366FE9EC919EF5E6ECE546E83887A3ADA69EF8259BC951157986E944F034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:56.051{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65374-false10.0.1.12-8000- 23542300x800000000000000049365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:58.939{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15E682D8D86138650CA0A2E4B87F284,SHA256=FB8C7AB649FB2EFC850A5CDA64707BD7C5C7927F581955C215446FEC610AEA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:58.829{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A6B4E654DA3146C6F83A070C3B8C28,SHA256=3860B70B88764D2FEC3FA3F9F964F18812A6D7F92CE39E3B4E980F56A8B2F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:21:59.971{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B0F110CC4B5C3952C494A8F0940442,SHA256=B73914B041475FAC4D1F7A3DE60333AE33E107775BA5E805A70FDEACE873643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:21:59.845{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF5DF3E43B3A86B5AE8239E8379F4CB,SHA256=6622480C833304BFF4E6E9485625B3863D2B7898557890E857D5AEC0E7EDAA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:00.974{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A4CB8EC4325F1355AB66837C047D0,SHA256=BD36B470713DEE91499F95FE02CE7A8050B7A3D38173966FB5A353A72753C1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:00.858{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CF5B21E06D9C04B7530A5A73AD1050,SHA256=B5D686B41D1E93D9F1D8AFEBE2B28A5AC7FB0603C78B63C59FFE00077BFDB669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:01.989{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A792E43BAC7396D1CA3BC8FFD79473,SHA256=5717E2786B7CDC8707FAF112747D97D59FA367DCFB639AD1825FF6E0EEE3445B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:01.874{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D97B216934825803468ABD13B8A2BA9,SHA256=D10C573C4AE0DFBCD318EC7F0801B410D13F47F81FFB0D9A6E9A6B62C50F8AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:02.889{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCA99D481A8EBA394E976DD3CB6EEA1,SHA256=AEAD5CAA06E4B90C53C5EA86AF8D7BE037AF47CD9BA1F1320F313F96864BA78D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:01.163{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65375-false10.0.1.12-8000- 10341000x800000000000000049371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:02.558{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000049370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:02.558{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:02.558{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF488f32.TMPMD5=D5F6B777ADEFB28682290A3936AE0977,SHA256=B36332BCD52C7798F89CD1708B921A7A0EC7D94EE22121596F5A118680A5259A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.915{328C47E9-454B-621F-0E08-000000003602}6568ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\saved-telemetry-pings\8f5b4ef6-6759-44c9-8611-670516808b42MD5=7EDC1ECDB1B7FE81385919E52700BFE9,SHA256=B5448B8521B7E7FBBB1AB44D49565E039587D59E19758D498D472881ACBC4414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.774{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2050E061D5534731F5991581941AAD03,SHA256=FA0DEAD69DC3F4FCBE8C3910E063D1CA9F0CFAFEC9252CA2D1C4DDC79C36CD64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.643{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BD-621F-0D00-000000003602}884836C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BD-621F-0D00-000000003602}884836C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000049435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:01.902{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local61156- 10341000x800000000000000049434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BD-621F-0D00-000000003602}884836C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BD-621F-0D00-000000003602}884836C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.628{328C47E9-32BD-621F-0D00-000000003602}884836C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.575{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-454B-621F-0F08-000000003602}1948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.575{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-454B-621F-0F08-000000003602}1948C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.558{328C47E9-454B-621F-0F08-000000003602}19481248C:\Windows\system32\conhost.exe{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.558{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=0719A89747697AF11888F22634B2477F,SHA256=D6146F3870BD9A837580ED1B8CF36DFE26C62E8E903F1C45299B598213E2BC6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.558{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-454B-621F-0F08-000000003602}1948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000049424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.558{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=9C739A64248EFE27299B85DE379FBF75,SHA256=FADB9DDD1A6DEC85982D90FD3B654A9020473E88F03407FAEF1FB45ACBFC5F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2195b7f|C:\Program Files\Mozilla Firefox\xul.dll+2195995|C:\Program Files\Mozilla Firefox\xul.dll+21959e1|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+13b7d2|C:\Program Files\Mozilla Firefox\xul.dll+154551e|UNKNOWN(00000333A01D4AA0) 154100x800000000000000049417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.548{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exe97.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/8f5b4ef6-6759-44c9-8611-670516808b42/event/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\saved-telemetry-pings\8f5b4ef6-6759-44c9-8611-670516808b42 https://incoming.telemetry.mozilla.org/submit/telemetry/724d0dbf-73df-45e1-a4da-d8d293ba004e/first-shutdown/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\saved-telemetry-pings\724d0dbf-73df-45e1-a4da-d8d293ba004eC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2MediumMD5=02AB913D3540422BFA0A676B861403F0,SHA256=9C14E91757BD1A4F8F2AC4B3F9D6294A8250C8DA03A110D358A6C785B56A273A,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000049416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.542{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\aborted-session-pingMD5=E77AC139F03F131769939BA12CB5FB58,SHA256=279D1D46ED232D7184DC6D12D2C2BB90C02DCB66BBD35CFDE8566D7DB6449F4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.527{328C47E9-32BD-621F-0D00-000000003602}8844108C:\Windows\system32\svchost.exe{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.457{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage.sqlite-journalMD5=FA62E011EC6C535CBA4A1458B1AEBABF,SHA256=4BA17227B3778009CE4B150AA4D2F03A10E33C5B5E04AC53681BEE957BF775A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.442{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=69BAF722434855C5AEB30684DCF0DACF,SHA256=77E2054377965F45120BB9584E2F8774F89741ADA0074E506D27BEA208A9568A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.442{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D1DBB4ED6E65B87B3A10743E9EEBD0A6,SHA256=340E5B7740DC1C23EB514EB4CB2D3A8DBEF4C3D9E0AC5C30A9FE14520A85E69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.442{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.442{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.442{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cookies.sqlite-walMD5=465579624A0AD795D8E816B884764B4F,SHA256=5D2F252D813E1E35BD1F2AA8040930B9DD8E3854AD1EF3BAB944C23E31EF6595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.426{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\cookies.sqlite-shmMD5=99E358076B1791B8317279186FA2AAC7,SHA256=06058AEF708292FCA57F68162B0C6C906C9944265DD98660F31ABDD51B323856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.426{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\favicons.sqlite-walMD5=4C102029D549E1AAE63DC7C7DBF77591,SHA256=7679139BFE65FEB3BE333E1E733EC4301FB836445CCCF6BAF968E9927818ED41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.411{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\favicons.sqlite-shmMD5=F81798C24F866E4EB11CFF475DE9F389,SHA256=4A611DC2692AC8E6619606463408F45E5EFAFED79F19FE42573019BB0501C673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.407{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\places.sqlite-walMD5=D3918DBD5AE303CCEA7915515B559BA7,SHA256=AD8F1DC37A582388AD109249EEFD72F5B9232B0B4101BD8B1667148CB20243DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.373{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\places.sqlite-shmMD5=CCCCF720BF88A1ABC68825F660193A0A,SHA256=6C9615EBCBD2AB6DBC9B709C214AD2047224EA0F1949E036493D06BB0F362825,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000049403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.358{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.94.180385890C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.358{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.93.213381204C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.358{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.92.209491884C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.358{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.91.203210148C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000049399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3FBB-621F-5007-000000003602}8176C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(00000333A01D1E54) 10341000x800000000000000049398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3C8B-621F-E406-000000003602}6388C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(00000333A01D1E54) 10341000x800000000000000049397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3C8B-621F-E306-000000003602}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(00000333A01D1E54) 10341000x800000000000000049396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3B70-621F-A106-000000003602}6412C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(00000333A01D1E54) 11241100x800000000000000049395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txt2022-03-02 09:45:00.595 23542300x800000000000000049394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txtMD5=D4F7AFCDDC8BC923BEA993E5A858CB7B,SHA256=4B6E3D3AA74E5469DBEE577439A3B9EB5F346E5974D347A4705FC4C754AB64E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\AlternateServices.txt2022-03-02 09:45:00.769 23542300x800000000000000049391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.342{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\AlternateServices.txtMD5=95EE224281E0F521EB7E944D37B00AC5,SHA256=67DC2837F47243CA311E2FB5220AEBE46FBF8E82C6D7CDD81EFCF8E6D6EFB804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.326{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.326{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000049388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.311{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.90.72199757C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.307{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.89.2223050C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.289{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.88.37158481C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-CreatePipe2022-03-02 10:22:03.289{328C47E9-3B6C-621F-9E06-000000003602}1620\chrome.1620.87.128469595C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.289{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\sessionstore-backups\recovery.jsonlz4MD5=BFD82D987AD40FCE9B507126BCE9D7BE,SHA256=5E1AF9978A17F2A87E37560049531236DAAC536434FB13723106403B63055A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.289{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\sessionstore-backups\recovery.baklz4MD5=0DBB9CA7D0D1A2748C80777EFD48CDB8,SHA256=CCF968A0350CF566E07C35E1155EAF22C7AF178FB1C126272C9D2CE888143C87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.258{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3C8A-621F-E206-000000003602}4368C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(00000333A0259DCA) 10341000x800000000000000049381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.242{328C47E9-3B6C-621F-9E06-000000003602}1620856C:\Program Files\Mozilla Firefox\firefox.exe{328C47E9-3B70-621F-A106-000000003602}6412C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(00000333A0259DCA) 10341000x800000000000000049380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.158{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.158{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.158{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.111{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.111{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.111{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.111{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.009{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C751CA3170ED1A223791B31DEED1825A,SHA256=CC9D100DB3047CDE0DEBB2C861A846EC994ECEC1BBEF9E957D848A37E3C324D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:04.061{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A5A98C1D827D89BA99763951B9465A,SHA256=592A56B45358176942B3649D5DB8B52DC451B2A103871E502BE5CB0F4DCD70CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:04.571{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE2101521EEA9A8B9B12AB5029526BA3,SHA256=1B13A16E6238992C94D7AFD1B0DAAC817725CEE21CAE57E633E265B6030161C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:04.571{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A2C9663CE5BF66CF1BD74597BD57CD,SHA256=9F0794E5D01B2BD143F2E358481F0065DAAD0B05CA312DEC7C97541B4310D37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:04.165{328C47E9-454B-621F-0E08-000000003602}6568ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\saved-telemetry-pings\724d0dbf-73df-45e1-a4da-d8d293ba004eMD5=520C0ECC82C988BD4699020BB0DB3E4D,SHA256=4231F627DA5FFD3B3667C1FA48228647F004234EB8FDF86626DC0B57D0BB6E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:04.009{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E67F6D1BC296D5BD752F93CB6C5E1F,SHA256=D4DEBB20E232A3AB6633411D100A38B1CC47C8FD08E7CBBEBFDA896F648CD09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:01.072{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:05.296{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DCE2FB571285490E9C595BC5300C9E,SHA256=8F05D56B010278EDDD8EA883F2953C548D518624E6D6A6D1B124CFB4862FE7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:05.040{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FAFAC8B6163BDE16E88D8E6FB2BF16,SHA256=0F82BB9C2F2A0A72632EE83DEE6DB20863AB55A1719574EE854C4221C0B4A3A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:05.024{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:05.024{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:05.024{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:06.374{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C236D483888DBE5AEBED5DCD84538C,SHA256=EC9362D8A01DE5057071AB17C2E1637ED1F7678B4632339DF1CA324193772400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:06.811{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-076MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:03.649{328C47E9-454B-621F-0E08-000000003602}6568C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65377-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000049449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:06.040{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1E2A9DF6B3691A08E6E6344C159150,SHA256=221A94361DBDD4EA9C482A78F6351FDFF4F87120F4E2F208A04014126D9F0746,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:06.088{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-454F-621F-A905-000000003702}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-454F-621F-A905-000000003702}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.905{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-454F-621F-A905-000000003702}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.906{0B31F0A7-454F-621F-A905-000000003702}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:07.389{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3771CD81348F22423653FA78216A834C,SHA256=E9477034501918CE2A82A5BC0AF95B921E7721ACD96421BC707F901101BAD266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:07.821{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:07.054{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B5F0AB1E5A2FB03F4EE97E5A9430BD,SHA256=36FDFDA24139474DEB08B72BF33380782BFB5AF7B11D20AFA2B495500842DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.920{0B31F0A7-4550-621F-AA05-000000003702}37523332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.920{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D688C4BD2F51DF0E593BB1B3B0759DF2,SHA256=21C8E91DE0EDD8E9D07D1952B123770993E6F584B2E85A785F0659FEDE23BDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.920{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3B80CAA9D2F6C0432A7046CF508E7A,SHA256=CC32959977C331DC8B6985E3C345D4573AF73F4057D4BB0705F30D5F7FABEE40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4550-621F-AA05-000000003702}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-4550-621F-AA05-000000003702}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.764{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4550-621F-AA05-000000003702}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.765{0B31F0A7-4550-621F-AA05-000000003702}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:08.624{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68D21786B1EA22190217FEF1751232D,SHA256=B6B408748EB547947FADB7491C97104F267B5C6D6B56663D081901BD81C83AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:07.121{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65378-false10.0.1.12-8000- 23542300x800000000000000049454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:08.084{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A828242A8D6255E50D492E49D42D390,SHA256=071DCE6A961498C9058ADF63A02789D9E084068C90A7DB8B5399E5BC700E1233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:09.087{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15161BB546FBD0F262EEABDF8359363D,SHA256=F47F1A7D1E1FFDC30FBEAD0BDB7265807279908900194297716BA4C0E3111A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4551-621F-AB05-000000003702}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4551-621F-AB05-000000003702}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.436{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4551-621F-AB05-000000003702}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:09.437{0B31F0A7-4551-621F-AB05-000000003702}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.452{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D688C4BD2F51DF0E593BB1B3B0759DF2,SHA256=21C8E91DE0EDD8E9D07D1952B123770993E6F584B2E85A785F0659FEDE23BDA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.342{0B31F0A7-4552-621F-AC05-000000003702}1228828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.202{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE38D551EDB56F70456960B9315AA0CC,SHA256=9B6BA90418CBE92D09CA1FB907BB0F6A4B6EE1CB32CC04035F5713D5E7D58F44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4552-621F-AC05-000000003702}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-4552-621F-AC05-000000003702}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.186{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4552-621F-AC05-000000003702}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:10.187{0B31F0A7-4552-621F-AC05-000000003702}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:10.431{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:10.431{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:10.431{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:10.103{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74F3DD35E99D8C383E57EFC205A5608,SHA256=28C88C267AC5149876013C14EECF4D871CF8FB21B6CF66EC18195E92E0253D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:11.150{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086F06ED60AC08AA452541CABE50DDA8,SHA256=B4CC03BB7C2226D33118A4FED532F67E1270C67811CE714AA33C3993E82817CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:11.217{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5443ABAEA868DD9C2F228D8C1456E2FB,SHA256=413771DA46B11CDBDC9010362C3D614A5E19A2A67F9DD1F6BB195E8390E61F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.920{0B31F0A7-4554-621F-AE05-000000003702}4028900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4554-621F-AE05-000000003702}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4554-621F-AE05-000000003702}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4554-621F-AE05-000000003702}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.780{0B31F0A7-4554-621F-AE05-000000003702}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.311{0B31F0A7-4554-621F-AD05-000000003702}26921832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.280{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EFB66FA6C16887E5135413590581B9,SHA256=7653E9FED55A47B461CE566795E95433465A64E5008DB7D6E880BB96EF44AFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:12.572{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:12.572{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:12.572{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:12.181{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71EB5E78C909168789B21DA20C740B,SHA256=04769194C0A62A88E23DDB93A18CADD6F4BA45ED4E2F098C9C386CAE30E073BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4554-621F-AD05-000000003702}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-4554-621F-AD05-000000003702}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.108{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4554-621F-AD05-000000003702}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.109{0B31F0A7-4554-621F-AD05-000000003702}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4555-621F-AF05-000000003702}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-4555-621F-AF05-000000003702}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4555-621F-AF05-000000003702}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.452{0B31F0A7-4555-621F-AF05-000000003702}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.342{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF2ACC67F526757E1A45C940A468DD9,SHA256=E99B5181D5964632F60696ADCFF5B141A6E85BC6C935CCEEA93EC3A120885A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:13.181{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFD9CC57A6E6D1BDB2E311F35743EBF,SHA256=5C6112DE705131866E43E4E2A27B702AEC17A1249B16D527E4EAC628D516F474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:13.124{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE25770242AEB1646FB1306EC120077,SHA256=8719553B670288C58823281EEA72D0BD35AAF3D9A4DAA7293642842860FF2948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:14.577{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6958FE79FEF81AE912F31D349B78B067,SHA256=EED3FBCDA50046F35A5134D54DCF4C78DE18B68EA61E8F1AF4C1818201ECEB0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:13.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65379-false10.0.1.12-8000- 23542300x800000000000000049467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:14.196{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1211E64881074EC8A4CFCE142EF850,SHA256=49B6C0AF095BFD54C7A9EB4EBE83F0105221BB0575FF2DAA2271C6FBE154C52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:14.467{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C2FBD64DB2B290EAD57BEFE3A2C80E4,SHA256=461096990E8CE78434BEFA8D31369777012101168B8CDB1666B8A1CA238EF45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:12.041{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:15.639{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4E8E24DCD88C7744A9BBE510717154,SHA256=8A3C6210D5126F73891D801D16BFC15052B1E79D679E21E621F190A166592D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:15.212{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF70517EEB791D5C1A03FECC5FB5E44,SHA256=6671ADE74F9381E183FA5571374A584744BEE7ED11B36DA63372DBC96E327ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:16.670{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73E0C02B43727EFC48F1F26EEF25207,SHA256=489959320CC2301EB608A6D44B3F8776E51B7F858835429460F0215B85962776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:16.212{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DC027654139928A1C08D4F9717A90B,SHA256=77CADFB5510DDAEA1942A6EEF10B7F39A2AAEC39B52969AE5B2B8795BA723419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:17.873{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13536C7A2DD384A42CDC656519E4B5E9,SHA256=8FC8DE2DDA490559EA3D447DA4043287078EFA0CC7BD3C5D063135D07BC13DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:17.228{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E11B287FC18244C324DE2A2202308AB,SHA256=85D214E7DAED4BEE046718BC964E194C4A9D913FDFF82151483935AD0CCB74B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:18.243{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7975A0D192410A5F238FE966A4FBF07,SHA256=5815874404FCD71CD242F87311EFDE39E10F7B85AD6FEE4C6504602E94346037,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:18.216{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65380-false10.0.1.12-8000- 10341000x800000000000000049512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3909-621F-3F06-000000003602}1136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-3907-621F-3E06-000000003602}3976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2700-000000003602}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.306{328C47E9-32BD-621F-0D00-000000003602}884904C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2700-000000003602}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:19.243{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A63613CE8FEF18087995EB3B26A5129,SHA256=BD2F40D4BC7F8AD0AEE885452C437B771F6886233118F497FAEC9027433DB040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:19.108{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BB632B6C803DBC371C38B467A58675,SHA256=65EC3376A80FA622ACDA888CC47C6595E89534E1F990C30A89BB40C0754DFB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:20.665{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC54B94F09A340BE2386019DD1C72DD4,SHA256=755BA25936D7FB974CA26B077E136F6271F349D435DD1D0C2D49DD0AD0C8A60B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:17.978{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:20.217{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:20.139{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36AE9E21D283C280D25EE11CBE8DB84,SHA256=193B5A7CF39DCC3463000EA7610F8051D85D0FDE0FF9D6DB0BAD7CCFEB2E525F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-455D-621F-1108-000000003602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49221E46C8355761D31C28FC3E7CEBC5,SHA256=85B2A83C5C09554AED857F6EAC417828218D97281C318A9FBC3F986927FC6CF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-455D-621F-1108-000000003602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.760{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-455D-621F-1108-000000003602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.761{328C47E9-455D-621F-1108-000000003602}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:21.144{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DF92F7F6798A61BDF644B015FA3DAD,SHA256=D257996F41366F58212FD0E65AF23FB1F1424AB41A2CAA64804D5CEC1353AE5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.463{328C47E9-455D-621F-1008-000000003602}54045124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-455D-621F-1008-000000003602}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-455D-621F-1008-000000003602}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.260{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-455D-621F-1008-000000003602}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:21.261{328C47E9-455D-621F-1008-000000003602}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.807{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3FAFFAFF628DFEABCDB9337EED8FF4,SHA256=51957AF5DEC74FCFBA38B0E5BE3AB67C9576056DA4C1E1B23C8EB7A39C75A928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:20.041{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:22.159{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B526F3791B7543ED3693230AB47F4EB,SHA256=5FAFDE7DD8C8C11ED8CD235C8E62B22FEC761306D96D50FEFC9BE51485FBA0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.416{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01113E25A67623613853F588118DC880,SHA256=20C62B50B2E517FE6BED231F29733BD2A38370765B7CDE6F13A381B7E4E2B372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.416{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE2101521EEA9A8B9B12AB5029526BA3,SHA256=1B13A16E6238992C94D7AFD1B0DAAC817725CEE21CAE57E633E265B6030161C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-455E-621F-1208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-455E-621F-1208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.276{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-455E-621F-1208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.277{328C47E9-455E-621F-1208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.854{328C47E9-455F-621F-1308-000000003602}66485844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.807{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BC0DFAD82193D534302AA1E966B1C3,SHA256=23C0546821C08CAB3760BE7EAC0306E4C35B7930373888877B6277E848B1BBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:23.175{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6191918AA25422CF3F865B1D7248A,SHA256=AFA95D463B33CF6245D3F701B4917B9E6217A378E1E66833A04AB5C501D84887,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-455F-621F-1308-000000003602}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-455F-621F-1308-000000003602}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.651{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-455F-621F-1308-000000003602}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:23.652{328C47E9-455F-621F-1308-000000003602}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:24.190{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB74EC9B8CF8350ACC8F826E6A33F0C,SHA256=6AA57805CB88853E577703CBF8B1C1183381E1C3BB57D0F813579C88BDF3ED3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:24.682{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01113E25A67623613853F588118DC880,SHA256=20C62B50B2E517FE6BED231F29733BD2A38370765B7CDE6F13A381B7E4E2B372,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.217{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65381-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000049554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:22.217{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65381-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:25.206{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698AB5705720F706978324D4E0621BA0,SHA256=00CBBE7D16F2C441244F5E735F96D0205F2AE5C0DDB2849628E82315D8AE2621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:25.041{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E36E521EC4CC1DA0274632B76E566,SHA256=E5F2A37C9F3D5C4C6678686B56CD2871BCA8B9C9FBC5A27FF7988408B897291B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:23.904{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:26.222{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E7159B85DB12E497DCF5BE2C67F4CF,SHA256=B59F5E85EF02B1F963E3E4551E6FF428AA8A43B4CBC0CDC8C52C2572727DACB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.870{328C47E9-4562-621F-1508-000000003602}53723968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4562-621F-1508-000000003602}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4562-621F-1508-000000003602}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4562-621F-1508-000000003602}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.698{328C47E9-4562-621F-1508-000000003602}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:24.155{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65382-false10.0.1.12-8000- 10341000x800000000000000049567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.213{328C47E9-4562-621F-1408-000000003602}15647432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.057{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D96278738BE0FF14F8E3361F0B9BA8,SHA256=F4756338C568016C5E0CD14B54F421A3F54B77E6FD111724B3226C64AA5D09DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4562-621F-1408-000000003602}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4562-621F-1408-000000003602}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.026{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4562-621F-1408-000000003602}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:26.027{328C47E9-4562-621F-1408-000000003602}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:27.222{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C3C120255BDDC0C3328880D68CFC2E,SHA256=4C648C11EEB6E1AC96DF746A235C701559C282B72DF99F9C1D092C5C7473C230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4563-621F-1608-000000003602}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4563-621F-1608-000000003602}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.682{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4563-621F-1608-000000003602}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.683{328C47E9-4563-621F-1608-000000003602}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.073{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76725E28260D09A6FA6E618565DBBFA,SHA256=9E2369BC9F3D937347323223D0040B92CC74F6205B3C303613ECD2E020060306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:27.041{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A63DB2331913246C88BB3F88B376635,SHA256=73F20BA91854BEF908FB3A3E0B53DF7AF80F4391B00808C548E46F8706E6A7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:28.237{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0127599283B8982F769F73E620F3A641,SHA256=3B5228871E02DE2512AD608703DECC61940348E72263FFDE8364B93815E05B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:28.698{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04F90E0B3D082C7DE3F2032EDB0201E,SHA256=AA756C142C43E72E53BE573217AFF15DC796B6386941636899063F0ADC4EFAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:28.088{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D85A7BBCD4F32C7FF417D3F5BAA220,SHA256=CF1CA14D95B75880898188B00B3A00E62CA0C68837930DA4AE246EAB43C1FCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:29.237{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762734E04358093B58835B5990C4871,SHA256=C6C185410319D0DE3D0484D7938032792A51A0ECCBC8CBF1A0D3442E865AE412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:29.135{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C3D3E9C1AF9ED4AA9D3F1C795C92DD,SHA256=1F90CAB4A051A91B97995CAF73BA7EA9D14BCDC6FDDC4CAF61DEB7253DBC017C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:30.151{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA52D92DA3C9C9B1984DE35E1B260230,SHA256=EF766F56B439A308751350A8F2194B567B886394BC79BC5DC742402D4AB89D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:30.253{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CF4F801B34009493FCFCA3A66A873,SHA256=395846956D8EFBD025AFE8FA20F8CEFF411EE8ED73D00B1ADAF34FC0AEFF619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:31.166{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F29A8D942212760FF260C148310335,SHA256=67F9414CA0C4054EF911E4A2607C3BF1CEE5AD65D264AB83B0902886280FD416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:31.253{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E5F543BAF382C0DEAD41DDCEFAB13,SHA256=1A1A6079217578D3CCE3C3DE807F9109126E9B689314C272B3A03DE37E5DB792,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:29.920{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:32.268{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED3724692448CA255510ED341493F6F,SHA256=9DAFF1484D85F7E5767EA59A9F68890A43DEE25CC8F98B462D4A9FC4C769E68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:30.139{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65383-false10.0.1.12-8000- 23542300x800000000000000049593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:32.166{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2C5406AF6E93A7AB51A57B36DC42D0,SHA256=95CDCF8D63FEDFCABF9345DA7DA3589F562A9B9FDF93AEA9D6A9BCF746F9E14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:33.284{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9AE7A0CB1FC884BD071C5BAC15F882,SHA256=C46C3539A2AC755D2D48841C1DB193381783371BE5C63829453060F158BBDA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:33.310{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:33.198{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A420BBD3299723E72A33ADAB3D496EA,SHA256=ECA3FC1A11686F3D481203CE38B905FE0BD7683BB84CB7D2E07C538E963B1604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:34.198{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907105CF640DB05308BB5CAA42BA014F,SHA256=DE57D46041F0CB0797148BC6F3DC7A233CB17D05EAA56947EF0318C75489BA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:34.300{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D67C9EBA23C2799973DAD3C3AFE00AF,SHA256=B6C7AE1C84C553A683F9B9A165F2B07AA7FF8A116B7279DF734921E5A4250A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:35.661{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\respondent-20220302091151-068MD5=430E98715AF7AF3635AF491DD4D57DC0,SHA256=DB5ABDF044C29F4F52A2AE95E41AD07DA17545B9719AB57C70BFA50A5C4AEE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:35.315{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3F310FCAE1B79FB11EE7D79C525D9B,SHA256=69832E64356F1A6DBEA12C20C5B89F958E60B3D52340000AEA05823A24067D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:33.264{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65384-false10.0.1.12-8089- 23542300x800000000000000049598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:35.213{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1EDCBBD54B4EE3EEEF08E259FCCC75,SHA256=932A96A472015C4A64447244A146A9BB9A26B86B7D1333D57FBF93ACFDD77818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:36.675{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\surveyor-20220302091149-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:36.549{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B364E325BD043297F3D389BA1630493,SHA256=CB1A4C1C87A17F9E3B79E5AD05F54A9635B5D08D883564231E680C7146C1572A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:35.141{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65385-false10.0.1.12-8000- 23542300x800000000000000049600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:36.213{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A48F7C16FD81521AFBC38565C2C468,SHA256=9013F0B4D57DCECA7972FBBB837D2A4EE21297421BF920AB793429A01621AAAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:35.935{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:37.675{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC81880F99F0928247C2E2EE5617714,SHA256=23ACE66D4528D1E9DCBA386EBA2BDD45737E36C55B239BD5214DC5AAC0981A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:37.229{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17591DAB543C413187DD7B6779558F57,SHA256=510A2D9597C4F34B9189AE8DE3829F17B0BA9A0CA54A20804FB2C174D2CDB7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:38.831{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893C8F285CD37806864A58BFBE3C05D,SHA256=FDD2E112C2DA49D880AF7C071832D4C14F8F2185CCD31600B8F5B4F5AC70A864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:38.323{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F56E9BA1EEBFD5FEBD9D8DD966133F,SHA256=FC12F8CDC0C476CA33B0D72E690CB770B48D099026231CC587B4F5C6B8DEDE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:39.369{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67AA8AD09980F92F26CAF4AE60B98A1,SHA256=FA29997B3CF8F50CBF3A98550C7BF00B1D70BB6F647859126CA300C4B576615C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:40.385{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FE563716B4F8D16DA1832A0E108032,SHA256=68B78708B9969EF5DA3E38676F36FE8D5F0E31EA2953EDF97D24C68A08C40629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:40.066{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BF3A2683C1D22D769BBFBBEDF64BB6,SHA256=93CB729309CE2A2F9749D94E90A59B90E23528F18D68BCDE1BD25F5799017B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:41.290{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859CFFDE861A10889051682572BC22F5,SHA256=A4DDA87A77B16E98AD8B9CC80F25430014F8F2F75ACFD464EBEB7A1AF670CF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:41.391{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB1E870BA3968CE240CF6ECF489F36E,SHA256=F30A95EEEB5E51D77D81B61AC04F751EA7270ACC9ECD427DFC2F6CCAB4FF67E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:42.305{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0967B4C4CDD3627592A958ACCB563579,SHA256=6D7D81F59000C9749E884E044C2D2704F18C580EEC21E4684A9C7CA853F14F96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:40.170{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65386-false10.0.1.12-8000- 23542300x800000000000000049608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:42.407{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EED62A1C5953CADE6BB1F1D32826414,SHA256=6E2E930C741DF4601B8618FD251C586A1C7822D3447D61BF23737C02FE2A8B06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:42.266{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32BE-621F-1400-000000003602}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000049612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:42.242{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65387-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000049611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:42.242{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65387-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 23542300x800000000000000049610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:43.426{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41226FE16EF422EC9165C18A41E5959E,SHA256=5401149D16241DD08D9B1FB753BFE69E288442E225D57FD917730BA6713175AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:43.368{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8D9B0D2708CBF8D5F0BB6CD21BEC1D,SHA256=FA8ADE1C1EB8BE2A4D80DF5A87E4FA953E4D1FADD46C0BE95C22A56CDA98FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:44.438{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E4D10041E31425A99A77E874B293BC,SHA256=27168C6AE6DACBD89D3213A0FBB6BAA6608DC9BCB099DE267E7933DBFA005B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:44.399{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF31EA793565772575E79C923EB7909B,SHA256=26F1546E805D65D5DAF9135C0FC06935AFC2C6BAEF70742FF6690B05ACE7B510,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:41.957{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:45.415{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02300F557A0F06B16E8DD5958E02FCFC,SHA256=30DE3812B61EEB6F7788A61E150A3D253E953696871DAA3AA4522CA0FD3D0B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:45.469{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E16971372312D2AC43F89B40641D1F8,SHA256=20C5C0BD02112EE55C0EC61CBD8469B17AF7B5F758828B8BB3D46B17841562AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:46.430{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6263C004AFBD25BBD25F3D585E5B0E2,SHA256=FB939DF17D1E13710456FCDA9AA79258DDAEAE623B68A1DB205F934CB2F5C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:46.469{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1005653285A2380F7C18FF1908132BE6,SHA256=0B18BD39C21DBF80AD5EE40835D3A20952FE1FB17915D5B59B0DAE73238E841F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:45.176{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65388-false10.0.1.12-8000- 23542300x800000000000000049616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:47.485{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD92F5D5CFB4A79085CB59C0B9CBEB03,SHA256=27A92B1E76C87F861E9DF9FC88E30F5A9890C24E74801BDE9053423514049601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:47.446{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179C4C6BF999597980BF9041B406204F,SHA256=95B17CB88541AF12B2BA21AF283BA10C1A83FC9BB539404EA3208B5F242CDC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:48.517{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9445A2DD687F6B90888C0F821EF277,SHA256=15B556A4074566161E7DD4F11B57BA4C36ACF6DCC7F12D2789EE0BF0486A2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:48.462{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE9274D0A68849DE080A5A273EBD1E6,SHA256=A89EBD812B5C3B5AA38C65F540E78CF2F7BEF314098DAF0C227E3F0182F96CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:49.578{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF266CB6879D361F4F83597B6218E48,SHA256=08CCD203B98D33208ACC587CCFB2CF969BE92966C409CAF851F3F0CEA3BDCB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:49.462{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257FCFD58E76ED66575EB77DCA247F7,SHA256=AA118C05019E1948F3EC25EA6EDDD29018050C3F38E9849CB70DA91ABD802FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:49.274{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=89B6E387C09D33199934CE99EBF17ECD,SHA256=15966441553C313481BE870861EAA972447C7270E1FA9A1351CDF05018FFD1F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:47.941{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:50.477{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A84ED1E671313F9810E744DCBBC186B,SHA256=2B6701CA46E663115FE83A5458D89259BECB87101E2B713E07E231935E3CF6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:50.625{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F48EE8D36EEB4975B4ABE39555D9C5,SHA256=0752596274BF99266208BC1C3BDBFC725225D0270B3D9CD349A131E69EAEEF8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:51.969{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:51.969{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:51.969{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:51.657{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA63702E02921EA4F4125B2EF5913AC,SHA256=B6E27703BE6F5C4556094039CAD5AC4B346C3DA3AD47DC22E737CCCCFAA45D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:51.477{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276531E88EC1EC19EDBA0B1042F7B85C,SHA256=921594022B7CC1DD838D526A5B362B3937CD152FAABD78A386484A78E2599210,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:51.223{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65389-false10.0.1.12-8000- 23542300x800000000000000049625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:52.672{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169AAC9E87B597D9746B5C6B67F9EBCE,SHA256=13A0BB2BCEB31DA4003899DE56F10C8D6A695760C3F1F66A47352F4776DFAC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:52.493{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EB6191C31FB1520FFF84197F1211A3,SHA256=360403F3687A6739ECA5CE3C0B1C8995EA5B8266B508CFD642AA5DFE410F65C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:53.688{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40215616D3B8E533EA3458B6F98EF8F9,SHA256=033AC497D4381623079C2B09381A16FC2F86976E7DC4683CC7E18CC54A56C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:53.508{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A112BD8908AED6176B5D9335A227FDEB,SHA256=968F935C9E455C3FC35051216F08B6ED402EA7C621B5C5EABE3DA444F0C88A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.766{328C47E9-32BE-621F-1600-000000003602}13163204C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.766{328C47E9-32BE-621F-1600-000000003602}13163204C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.750{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.750{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.750{328C47E9-38F8-621F-2E06-000000003602}23081160C:\Windows\Explorer.EXE{328C47E9-44E3-621F-FF07-000000003602}5648C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:54.719{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91C551A8E669F910124EC610832B456,SHA256=FD794B5ECA7E5EB9477BF9496FBF32E17702358FC849D9EAD42225AE9AC18F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:54.524{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEC42C5257AE68F3AA951729A651E7A,SHA256=53688F593E24C7DAA15E529B46573270D551E74F17CF6E7452A081BCDE15C330,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:53.957{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:55.540{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADBF3F599E5096EC376388F6F9E21EB,SHA256=8A0DD00E1F94C9D1B81107EB8F3F9C916B095B1E18ABBAB328ACAF71833B4A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:55.735{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B2DA3F7BA135883FB06C2BFCF8E0BC,SHA256=B9F8D3DDBFA30C500DFC8CF2C9485BCB8B38BB7EF833B38DF7E3B0624BF805DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:55.188{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4461A53428843D76B9AE63E8E3B7CCD8,SHA256=D26D26446369D16889614115D792538FC7DF978CB5B6AEC6BE124560F5E98EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:56.696{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E5C88F0D40B7458A4093A693A1BC44,SHA256=0920174B8A792FE8762C18C53601FEA383320554D7BB7139C0D80375BDD861F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:56.766{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CBE0E939C27B740E3938A0CD0061C2,SHA256=43C39BF566B3BF7E626ACE79B91739549D85C67DB8BA856966126E59C7B0A493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:57.836{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBAE24F4EEA42B7FB6A61873BCDA399,SHA256=F080945014246759DC6119D8F8306D37F6022804D5663E9666F47FC3D581964A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:57.985{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD1976F337E26BEB00887DE82C7E85C,SHA256=9A48644D471B204D3F0BE4A3E140DE72A73FB122AD604DCCD83B4CA06541EF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:59.071{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4704416F3E30AA2D0EDAE84C7D016AF9,SHA256=376254BF849B3CB243F88138AD68CB9ED18FFBCEF1DE1F33C4A41D16D29AEDBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:57.036{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65390-false10.0.1.12-8000- 10341000x800000000000000049639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:59.078{328C47E9-32BB-621F-0B00-000000003602}616656C:\Windows\system32\lsass.exe{328C47E9-32B8-621F-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000049638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:59.000{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2356BB1F7A091460F4667B353A4C593,SHA256=54FB066BEF4731258F7FC8D9912A7C29C85BA6BC4CCAD6B7D9E086181716B73D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:22:58.972{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:00.180{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2764951240B817833BCAEFE3EC966F8,SHA256=E66714275799718EA3BAE7E4612E2E8FCFCBDD46FD613DA827D9D5A4D44235B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:00.094{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A53D994900E56E1149F2F5281EF58C,SHA256=BA01E16FBE712D4F2932703F49D7DE9EC0CB36C92B14DBD4E270879480E89099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:00.094{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85DAC4DCF581287B2F0B5D0E04EED1AF,SHA256=A71DC48ACCA50DC5463EFC24772E9F6085BF6672509D995FC98E728BC0B415B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:00.031{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A301EF94C9BD7804C34432FBA85645EB,SHA256=3923C705D456C4AB7ACDEE690BEC125CA81543C4652EB553966AECCA53913C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:01.341{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A9F4C8803A95B00EE0B3C4F3F93E4D,SHA256=1BC7FBDEDCB2A41F3D9219A906AC61962C12E577BA3FA6C7F2CB97FA1FCED516,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:59.052{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65391-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000049645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:22:59.052{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65391-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 23542300x800000000000000049644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:01.052{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F289D5191A21F2D0193DA32F00FB6E,SHA256=72784788FA0E6A9FB9E2D22835AF970DD7C4B7EB52E6FAE78CD0264E8552332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:02.576{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B3B89BD29838C63215CA4521575745,SHA256=6793468661C8BA47B9C8B14BD2A18651B6C9AFFBE43829FCAA5F91A0CDF691D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:02.068{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD47A553C9184C9B21CE7287DB38AFD9,SHA256=0E64D74D7709637AAAAA3C2FF127F2BD6D4F590BEB7011615C910CF413890CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:03.623{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78606D399EB354D446F1D3C5B0B56B67,SHA256=ACA4E15518BF0C43141C2DA66B6C149CD34B11C0374E7808D19316E5722E93A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:03.115{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF706059D2A466DB6E7F3A3D0AEBBF3,SHA256=A4AA1FDA0BEDC26B69DC7CAA81E8BB7CB012144F3261566EF873DE7ABBD59895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:04.623{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731A035D69D575C5356D9F902959F873,SHA256=1E03D227CC0CACD4945489BA008D57F4E1ABC683F112B0285D2EC0DBF0B8253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:04.130{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD584714D109336FDCA103EA1AD7E97B,SHA256=E1ADF77FD50B35028B7C990BA875E499F9B23E84A6027B08B86082BDEA07D7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:05.638{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFED819A0775C87AEB55B444DFAB98CF,SHA256=7AD8A7F67C971E91335B74EC5BEBCBE10341603E5B33278DF2A1F72420A7CE30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:03.072{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65392-false10.0.1.12-8000- 23542300x800000000000000049650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:05.333{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0605B431518BB563FBC819F8A4ED1982,SHA256=B3B2BBB76476B4F40287D6C65A044CD3CE5BE281125137886508A654BDCA63FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:03.212{0B31F0A7-34D4-621F-1100-000000003702}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:3495:111f:f5ff:fef0win-host-tcontreras-attack-range-468546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:06.654{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D2202C802073457DB494A786352E22,SHA256=F36044408A825D70061BEC29162A5DA0949B75989EEBC50D7B109FD89EB6A0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:06.349{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B2EBCFEFE1EB64DFCA389755245A0,SHA256=30119E18DBF5ED119EB4CBB86C20319AD04DA6C993200F9925E0FCD576634BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:07.365{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242CB8994D8388EBB311C9D4BEDAE34B,SHA256=FC983530F667F3F558CE4498EE8F29475AE51A44593BFB3D634053FCBBD295A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-458B-621F-B005-000000003702}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-458B-621F-B005-000000003702}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.904{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-458B-621F-B005-000000003702}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.905{0B31F0A7-458B-621F-B005-000000003702}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:07.654{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB6961325101FF6F54F6E507D076029,SHA256=8B1323D0E8AFCE463D146CA22FAB3AAEBBA2C52D864D201CBD7880FF7242C113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:04.930{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.951{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=436DE8807A95653883FB378509A471D7,SHA256=96C3CCD76DD18150337037B1BB55D30859822241B65258CB799FEE4A3F590B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.951{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F8EE0893AAEA6A0ACBB874A0128777,SHA256=9B0792DE2E4359F0031E0C951132216168643A057386F83FA9904F93957E1234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.888{0B31F0A7-458C-621F-B105-000000003702}5002648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-458C-621F-B105-000000003702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-458C-621F-B105-000000003702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.685{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-458C-621F-B105-000000003702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.686{0B31F0A7-458C-621F-B105-000000003702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:08.669{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130577E55E05CDCF698D22ED508E78F6,SHA256=F0751E8CF79CA7140B474B15D7ED569F9ED5AB7143D4F962DA4871B394672A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:08.365{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7AE1979B1CF78434BED98A8D738E5C,SHA256=86D6021970AB0B007087EF02BBBEB7439AF3612427C6F12338BDD3DCC61578B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:08.353{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-077MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:09.369{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D344B3774B73CEF48C49A542D201100,SHA256=2B4BE2383B83A2C62F23698D86CCA02E82E2C632844321966713E5BD96E66855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:09.367{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-458D-621F-B205-000000003702}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-458D-621F-B205-000000003702}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.357{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-458D-621F-B205-000000003702}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.358{0B31F0A7-458D-621F-B205-000000003702}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.404{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=436DE8807A95653883FB378509A471D7,SHA256=96C3CCD76DD18150337037B1BB55D30859822241B65258CB799FEE4A3F590B58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.326{0B31F0A7-458E-621F-B305-000000003702}9562500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-458E-621F-B305-000000003702}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-458E-621F-B305-000000003702}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-458E-621F-B305-000000003702}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.188{0B31F0A7-458E-621F-B305-000000003702}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:10.185{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B228F5EC452F362EB1E61801382A06C5,SHA256=893387928F81DD2C117140226DFCB72EDE1B4BFE04CCAD525ED8C3D18E355D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:10.900{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83CD8C27503BF1E377130F10EF056EF1,SHA256=EA1E2DA2D5DC6A2624819132C8A3F95B5B130249524C6FFC04CEABBDC9B8B784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:10.900{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A53D994900E56E1149F2F5281EF58C,SHA256=BA01E16FBE712D4F2932703F49D7DE9EC0CB36C92B14DBD4E270879480E89099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:08.186{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65393-false10.0.1.12-8000- 23542300x800000000000000049658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:10.367{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604701314C711F37451FAF54676461EC,SHA256=C59A96EE0EE9F223CECD44ACA23CBB85FC880F0E4E55CB8757F5787F4ADE7B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:11.368{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9F5FA917067E778ADFC60B1BF7ECCD,SHA256=E8ED7C39DC87249EF8ED47CBF5B5BF62E8BDC675E1D418EEFC51A106699D7DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:09.946{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:11.201{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0689DAE7018D86A21FFB5FA4722075D,SHA256=454295D8CDFCEBE60748710E10494B646FDDDA49E415D92022FC758F1A5E0953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:12.384{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9920D6018C2F4E7838DFFEE0EFADC20,SHA256=C9E297263E7FA2DA6FB5A93996AAA6FFC9E45F66388EFB11F2E238BF7764A2FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.935{0B31F0A7-4590-621F-B505-000000003702}25043624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4590-621F-B505-000000003702}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4590-621F-B505-000000003702}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4590-621F-B505-000000003702}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.779{0B31F0A7-4590-621F-B505-000000003702}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.294{0B31F0A7-4590-621F-B405-000000003702}5603408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.216{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EA5AA90770111FBE48713C43C46EE8,SHA256=A1DA017E7D79376FCFA3EFEBAED72160B8AAC63B35B24CC0C683833F7E399EE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4590-621F-B405-000000003702}560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-4590-621F-B405-000000003702}560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.107{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4590-621F-B405-000000003702}560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:12.108{0B31F0A7-4590-621F-B405-000000003702}560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-4591-621F-B605-000000003702}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-4591-621F-B605-000000003702}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.435{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-4591-621F-B605-000000003702}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.437{0B31F0A7-4591-621F-B605-000000003702}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.357{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150F7C9BDF06474D4502A219561D7AD6,SHA256=D9C013C8FC6CCB1EDB38568E464182DB790C5D4F73E3C3BC365E537D83BDFBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:13.415{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F10BA6BBFE88F66A89D513B1EEAA4F6,SHA256=27D086F09B8A879F0246F375A98D7C9145501F63082EEC0FE22F108C02018834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:13.216{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6D753623F7EE3B5FBA902EB1EC65175,SHA256=D32C927713FD530473D2B60BF98FFAAEDECF962556A8A7D5EE0D9A7D1504180A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:14.435{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BCEFA0F5290E4982CE1203F3641C73,SHA256=C362C5C00497B2D185102FEC677D2409185C1F056D5CD440CFD100B6CFF3CE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:14.435{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A710FEBF48A4A7BE03AF1A180E9E5B3,SHA256=53D743D9C6805396F476C28E841E2376E02F410C9C6988EE25E86F39F11C996E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:14.431{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C89BE7FBF57444A1505E808AD07DD9,SHA256=C77138CE8B3A0B2AC1EE754EC61BC03F1675EA1E46B0037ED3D2912E0D895589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:15.451{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507E90283819AB8D6B70ABA7C648FBDB,SHA256=0B09CB2D5A8A3B122F1F95D5769093811BA6678AAE67F438863EDA8775D99E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:14.091{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65394-false10.0.1.12-8000- 23542300x800000000000000049673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.478{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3968B2D1CE99382CFB6E045162BECA0,SHA256=4054EFF044F8A16E03A06BDAA4621C2047AB42390742D0212F0C28606639CAE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.321{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.321{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.321{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.306{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.306{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.306{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:15.306{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-3933-621F-5106-000000003602}5908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:16.497{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C4F88831AB1ED50B05533041BE31F8,SHA256=10FD538C50480D5509AAF0A181BBF0B327398CAD74216DCA986DC6DDC55C91E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:16.571{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48EEDC46AA535A613C58635A33D5D84,SHA256=DF967E89515CA8AC5504544711658BD07A885735E9540DC5AD488AA6B024C3AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:15.071{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:17.498{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131E4C90C4B97B71667261603F5B3AAD,SHA256=0A9C4297BC7CFF22DA0CBD04E784F666C9EBA571EC01F7F08AE31E2A1EE6FAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:17.587{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2016058BE2AFCB5A87177B5BBE394EF,SHA256=5AC77B66010DAA0B3F23A9C894502BAE3ACE31C584BC6E48160A75712992DC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:18.732{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCA520DC4A0496E3922C4678EC88850,SHA256=8660DFECD212C791536EC7E5C0DAE919FCF1D4B2A0D78B47A83A78DF5094922D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:18.603{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26ACD31ED0898E24D1EA2894AB26BEC1,SHA256=6971B85D03F7FD34C59ECAABCEF73C49BA75B46410F57B4D133C031DAEB9DB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:19.794{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA82AA47F20D7CEAE421035F1187808,SHA256=101DF990B770E6D809B882686BC21A11DD993BE93B1960663E13EDD03207D066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:19.618{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10022D9CFD07A9EADEF62DE22AC33BF,SHA256=61A1A7CC49E459A76D5B8DA6071CDBCE3F0E089630BCC75157CF4B78367C50B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:20.802{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11017B681DBC37991EACC09EAE3E2014,SHA256=754FC1138DAB632A3FC8F085187D2583BB83E6773376E2EC34C4C6192C2985A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:20.634{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D24A81975A6D102E662F4B1A1611FEC,SHA256=DF2B4EF14203D18FE89AFB9B53E8E71CA2FEDF6D129EC62FF2140A9EF630B823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:20.247{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842466B897D8FACA8A6DE2E6339C2C9A,SHA256=76ADFE572CEF15B0E20C88761BECBD4EB728C5052ECC719228F8B57275292EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB93289B7FC94243D417CEE821199E3C,SHA256=CB5B3BDB0DD735B8D99864E159FE8EBC7980753639F68B087995A8727D145960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4599-621F-1C08-000000003602}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1C08-000000003602}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.950{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4599-621F-1C08-000000003602}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.951{328C47E9-4599-621F-1C08-000000003602}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:21.817{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF0788273CAC8DED036B9DE96026ACD,SHA256=EB930AC16B32DD047489A02C983D6748B252E9DB9062F7005E78C3FB1D66AF4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:20.071{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 13241300x800000000000000049731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:23:21.622{328C47E9-4599-621F-1B08-000000003602}7380C:\Windows\system32\reg.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTipDWORD (0x00000000) 10341000x800000000000000049730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-4599-621F-1908-000000003602}69648116C:\Windows\system32\conhost.exe{328C47E9-4599-621F-1B08-000000003602}7380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1B08-000000003602}7380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.606{328C47E9-4599-621F-1808-000000003602}19407820C:\Windows\system32\cmd.exe{328C47E9-4599-621F-1B08-000000003602}7380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.614{328C47E9-4599-621F-1B08-000000003602}7380C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\regs.bat" " 13241300x800000000000000049722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:23:21.606{328C47E9-4599-621F-1A08-000000003602}3352C:\Windows\system32\reg.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColorDWORD (0x00000000) 10341000x800000000000000049721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.591{328C47E9-4599-621F-1908-000000003602}69648116C:\Windows\system32\conhost.exe{328C47E9-4599-621F-1A08-000000003602}3352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-38F4-621F-1506-000000003602}39486088C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1A08-000000003602}3352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.575{328C47E9-4599-621F-1808-000000003602}19407820C:\Windows\system32\cmd.exe{328C47E9-4599-621F-1A08-000000003602}3352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.588{328C47E9-4599-621F-1A08-000000003602}3352C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\regs.bat" " 10341000x800000000000000049713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.546{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.546{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.546{328C47E9-38F8-621F-2E06-000000003602}23087640C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.528{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.528{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.466{328C47E9-38F8-621F-2E06-000000003602}23084276C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.466{328C47E9-38F8-621F-2E06-000000003602}23084276C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.466{328C47E9-38F8-621F-2E06-000000003602}23084276C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.466{328C47E9-38F8-621F-2E06-000000003602}23084276C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.419{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.419{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.419{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.419{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.387{328C47E9-32BE-621F-1600-000000003602}13161844C:\Windows\system32\svchost.exe{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.387{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.356{328C47E9-4599-621F-1908-000000003602}69648116C:\Windows\system32\conhost.exe{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.309{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1908-000000003602}6964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BE-621F-1300-000000003602}9565168C:\Windows\System32\svchost.exe{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.294{328C47E9-32BE-621F-1300-000000003602}9565168C:\Windows\System32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-38F4-621F-1506-000000003602}39486088C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-38F8-621F-2E06-000000003602}23085892C:\Windows\Explorer.EXE{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.292{328C47E9-4599-621F-1808-000000003602}1940C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\regs.bat" "C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000049687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-4599-621F-1708-000000003602}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-4599-621F-1708-000000003602}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.278{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-4599-621F-1708-000000003602}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:21.279{328C47E9-4599-621F-1708-000000003602}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:22.833{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481C670D8C3E355EED85A84FB2F8B7D,SHA256=1A2E4FED0D3CDFB60A5FF1221CE524E69DF21639F32A5D7CDAE6128F3387C9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.981{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5CF629B86C91C8ED09C93D7D732556,SHA256=CABB2A79EA1B6F7D56A83DC6196A33D81C72669494624E0AAB93703E59E7EDCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.778{328C47E9-459A-621F-1D08-000000003602}73605924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-459A-621F-1D08-000000003602}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-459A-621F-1D08-000000003602}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.591{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-459A-621F-1D08-000000003602}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.592{328C47E9-459A-621F-1D08-000000003602}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.325{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D237240BDC033A185C162E0787F1A4DA,SHA256=81ED8F9092AC7CEB98B018F4C24C250F326CABA229C2C35DD1463DABE1F81D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.325{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83CD8C27503BF1E377130F10EF056EF1,SHA256=EA1E2DA2D5DC6A2624819132C8A3F95B5B130249524C6FFC04CEABBDC9B8B784,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:20.091{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65395-false10.0.1.12-8000- 354300x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:21.000{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:23.849{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3204E78AAEE7B063A90A2204E391508,SHA256=E6E1A45F2A0B9D9F228D5EF37739F13D01359E5D067F6B1A5500D5E655B0DE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.887{328C47E9-459B-621F-1E08-000000003602}23923740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-459B-621F-1E08-000000003602}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-459B-621F-1E08-000000003602}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.653{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-459B-621F-1E08-000000003602}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.654{328C47E9-459B-621F-1E08-000000003602}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.606{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D237240BDC033A185C162E0787F1A4DA,SHA256=81ED8F9092AC7CEB98B018F4C24C250F326CABA229C2C35DD1463DABE1F81D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:24.864{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE098DD1AEC8225666713AC9A18E2D8,SHA256=C60244549ED514EC88ACEA5E6C002508AD0C387407873927FDB6BCAF5E87AA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:24.716{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD5EA13585A9CA673206A28AD144672,SHA256=03DC832F232D423F5EBEAF3F467F0B63D52821AEEB211CD1F6262504CCDD02CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.236{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65396-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000049766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:22.236{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65396-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000049765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:23.997{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477E5B3D3F91256DAE832B763462EE60,SHA256=3565B48C37F1CCB9A193A7BA73191AF9157B29B358FC6539E77DEDE8860C237A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:25.880{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4596CC9803A081A1E232DDC2C288E8,SHA256=E43FAB06CA298ECDF5CD0EB7CE39B7BABB2ABD35C7CE5DE43616E1476C468C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:25.012{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8F1EC2416D16B485F5498FB7F22689,SHA256=612FD9A3F8EFE0A6BFB466CEF46E95BBAD702B4514AC25C85710A9CABFF2446A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:26.895{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E5A12078F8AF12EB14D2BAD82E422,SHA256=4906465C772A49660FAFBB75D76D86ED162A846E3CD611F2A99B8225868C13E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.887{328C47E9-459E-621F-2008-000000003602}6020580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-459E-621F-2008-000000003602}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-459E-621F-2008-000000003602}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-459E-621F-2008-000000003602}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.716{328C47E9-459E-621F-2008-000000003602}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.247{328C47E9-459E-621F-1F08-000000003602}75567740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-459E-621F-1F08-000000003602}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-459E-621F-1F08-000000003602}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000049772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B722C223614D1CEF4590FC6C010F17A4,SHA256=12E45810ED34CBDB5F0B29A49C577DD0D8EB16CC103A1ED6879EB6F1466492C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-459E-621F-1F08-000000003602}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.044{328C47E9-459E-621F-1F08-000000003602}7556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:27.911{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C782F6225E5C03381B92718DFF182DD5,SHA256=B64F25568CC16CEE3031B60FB74A737DCB836518599234038C541BB3371086A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-459F-621F-2108-000000003602}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-459F-621F-2108-000000003602}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000049792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.684{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-459F-621F-2108-000000003602}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000049791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.685{328C47E9-459F-621F-2108-000000003602}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.060{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DE8CCBA83D5A43F423B8514DB3BBCF,SHA256=19B834E5473A2EE8834BC14637D991684645ACC1712D93D5634BDDBCCDA275CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:27.044{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085B15D73471D4702EFC00C37B4FFF56,SHA256=29AB8F1A30DA072C6C7A497710727C397564BA1D05D861B4F745184809B52FBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:26.953{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:28.927{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EF8A6279E6F838AF471D28A884F272,SHA256=DD452EF244F45DB82E992C471285073EBA7EFA0789C12CCB7409D8A08EAB814E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:28.747{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75926D5A254476C8079A9026E12502B1,SHA256=7C2DDC2906315833668347C85160588DD369A759D716A8BD8F907EAFA8CF663C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:26.110{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65397-false10.0.1.12-8000- 23542300x800000000000000049799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:28.059{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFDA4A0DEFD03D9B0DC1EB58BD2B869,SHA256=C608BC035C93C08CA07E99DAC2A13196A067532251856D40952AED0DBB30C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:29.989{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2C81CE7F42E393A0BA82A510A9696E,SHA256=DB4E71D1B8E45FA2BCE095F0BE34C27AF4925D340F3CE5EB7766B618BF7C4EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:29.106{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:29.106{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:29.106{328C47E9-32BD-621F-0C00-000000003602}8286560C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000049802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:29.059{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9730DA017F4E6008B579D9B413E41F2,SHA256=186F033A01283BE53D01EC736383BAC1AE5BF6647F6E8451146BB08D0C7CBDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:30.122{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEA49408377634C61A336977891C97D,SHA256=3A1BFEA2E4E162F676D48E2160B63B0EB8953D87B3FF8C842A657766F7A58518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:31.153{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16705AA638CFE6382F56B72C21A6461,SHA256=C47316678229C695B3827D2C32775B9A0A62DC1BA30C809AE603BCD59523118C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:31.005{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D502FB1E80F9A1F23E67522CD91926,SHA256=2D59815D67DA51794946536F0CA4C7DA507F0A1EF22CF0804640013C3D006BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:32.020{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB4B9C0DA62D591C5446992C8A989C7,SHA256=ABF7BF1AD11A78202ADF68597CD0E0114B9118BB751C26FD2B4B6145EC4C3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:32.169{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7458BB7D7B9B76D568B2A0FE354921F8,SHA256=2F1D1F3882961E6D9C756B18D6A06C1302C21E42AA20646B50ED3E739D243C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:33.255{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3CCAEB5F6051D4FA82941903B54DF9,SHA256=A7564BED8346D86B481067072D5F0DD53AF6675FFA3F9B4CD11D21017CEF300A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:32.032{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65398-false10.0.1.12-8000- 23542300x800000000000000049810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:33.341{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:33.200{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628C075FCACCFD288580E6311A8B5BCC,SHA256=BCCA5B7A64EDA9205DB00F65E00D78F9E2F764F8037C20BDBF68102131E2C35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:23:34.317{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C593F9E068EA09B44D4E2C2EBD84DA,SHA256=07AC0845FB8A8A5CD6FB72B1437F0BB9E29A70B7B65224B004D0D9CBF2882718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:23:34.247{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348AB14398CA3B04F4EBDDC0775FF8B4,SHA256=E9CCC91876492AD5F9BC1FA347612F68414121B54F0DD142BC71095085A2E6C9,IMPHASH=00000000000000000000000000000000falsetrue