23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:36.425{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:36.281{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAF60AE2EF761B99BAA70DA70C9069D,SHA256=89697F9ED1378001D597E44A37FE81043428DAB457FE470A55489BE852EF0B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:33.169{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65316-false10.0.1.12-8089- 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:37.460{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:37.296{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0E1694375412F82034CB5B35E5ACA,SHA256=4D064829A5C1A7C049EAF2F5EBF0017663AAA32BF34409D1A503964BB4A7D93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:35.832{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local62928- 354300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:35.030{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65317-false10.0.1.12-8000- 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:38.495{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:38.312{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D69E62F5F620345B0F341A50299032,SHA256=EFE6944D7FD633382C509FFB304CFAD6DA6AA508E1A0C2E704C07426C84EB3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:39.525{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:39.327{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3009532A454F10B95248345C9D12D6E,SHA256=291A79AB1E7186BCCA88CF64D485A08967C2D5BC7C7229F5062DB688CA731D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:40.540{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:40.343{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0471090D16F38242AFBD2A75D083A7B9,SHA256=CA8AB3AA8EBB2BFE9CC34388F82E3985C6500CCA755F0BD1A619AD0B41486D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:40.409{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=DB57A48F0F4317395F3C9E6B97B17D7E,SHA256=ACE9AD158BA76BEE1351E7A252238182C8439EDE77A9C7D684AA56789C0E97E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:41.557{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:39.901{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:41.535{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF12276DECD99CD0E321A5A02EF089,SHA256=EFDDD3FDFF9B0C5C893031C237435C23052DF65646EAEFB626F328F2F56F0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:42.576{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD76292B3BA5C6270D4656A0E7D15A5,SHA256=5445CCB0264741C7EB14AA60B8599D341B61D4AC9BCE1F9AA5844E67D7548415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:42.722{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7BD544E9C8A622FF5C17C4324EF913,SHA256=DDE93D5BF8B2F01DB87BAA06B51DC200BC4B26CDCCCBAB9EB8ED8E3199040000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:43.785{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86687244FCAF19DAD5063766AFAE7FE1,SHA256=6933C4308D59BD52279F0E1F3BBD10B0CD38049B2C528F1B2EB2E210497F241B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:43.592{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:41.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65318-false10.0.1.12-8000- 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:44.623{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F24D3C67D530A51771926FFF898652,SHA256=5C2E55B48584F3A16658C18C6021EC1434A20684B897200F93BB5FC1134B8974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:45.623{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101818A329F48EEC1D148AFB20704AC,SHA256=88D0097D744D921077551D035EA7AEF096A1C663166218AF07AD60DF94B3B5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:45.019{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EAD8B52F46C18D841A507ABC270854,SHA256=5BF5E1D8D25B269607C3850ECDB35C3A6E9C48F6067ABB58F7E3928077FE5500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:45.423{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=3025A872500B9A74603D98DCF418DA04,SHA256=74D82E76494BB8D8656784F3B8222CD057ADE89B6C751340067FED4800C079D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F13B0035-58C7-49C5-B747-E6C0B33C6DA0\Config SourceDWORD (0x00000001) 13241300x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:18:46.838{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\F13B0035-58C7-49C5-B747-E6C0B33C6DA0\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_F13B0035-58C7-49C5-B747-E6C0B33C6DA0.XML 10341000x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.822{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.822{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.638{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:44.905{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:46.207{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA74043D6A597B6E91B0B30A10BB493,SHA256=546F41BEC9228B4B0CCCA5082F72D5310031C965B59B488339B30BF530EA5F33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.691{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.658{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E83B3DEE815309564671CF85727EF,SHA256=042AC1C8C36CDF065AE567A1CC97637C0D381FD49E38410534F15E8F404F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:47.410{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16EFC21662DD83A24CF55CE0FB09937,SHA256=22ECF24CB1EC584A40B58E10BC20714EE616FD1D5BF0A87FDBCE595C7656613B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.150{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65319-false10.0.1.12-8000- 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.721{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26534B5D7C1CCE4416B073D8ED75264E,SHA256=52E5C245A0021210A7048447AC9708B6D12DDB19C3A7054CFD61271BEF2E1359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.721{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4B089F66476B39CB077E8523BDB776E,SHA256=D12844EC1927226EAFFFB180514A330237661D509EBC57F55E8842EC17CDA00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.706{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.706{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.674{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C793EC8E9DC57169987343FFF686E,SHA256=6FEFB242053E54CA93D237804FF70B6E3C0F3547FF92F35B06FD07E7AA570215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:48.425{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A0A11B9FFBC1438BFC0D341C0B42AF,SHA256=4DC2ACD38C96E38F1B1C51446943577553BDF6A16CA5308B246BAD394C6AB681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.827{328C47E9-32BE-621F-1400-000000003602}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:100:0:c840:3a79:8585:ffff-51387-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.827{328C47E9-32BE-621F-1400-000000003602}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local51387-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.825{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local54563- 354300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.824{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63892- 354300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.798{328C47E9-32BD-621F-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65320-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local135epmap 354300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:46.798{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65320-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local135epmap 10341000x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.521{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:49.690{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF429E4381071BDF42152672A34F8D,SHA256=EB3B87C7B100C699911B274792F3B430A45F83C5ACAC6D4EA4040011F9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:49.441{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A87BEFAF3B41BFB650C4201AC18F6A,SHA256=51BD53751FA93E039F0AB0AE06812BE4E8EB608719FC2D62D2EF6534D16253E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.664{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65321-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:47.664{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65321-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:49.254{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9B140EBE15143E5E13FCC4EFC8963D9,SHA256=8D8F3C30D2C64557F02EC761D1E704241C2CFA7464FCBBD4F85D27EFCB4B6007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:50.705{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ABDF22332A90CA519D7BD0779C2BEB,SHA256=98ED87032345F3E6CB1ACC83442C46D256C46C3510413D4951CCB8EDD5231496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:50.457{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D827D1EFF5890581CFCF9294D5CC4CC,SHA256=85321F90D0F5ACCB42F2DDB2FEBB93A164F0370514804C30B3163959B880B8BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.495{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65322-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:48.495{328C47E9-32CB-621F-2A00-000000003602}2948C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65322-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 11241100x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:18:51.804{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXEC:\Temp\idafree76_windows.exe2022-03-02 10:18:51.804 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:51.719{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF435027F5B45D03896B0B8BC33D25BF,SHA256=FF99D4B7FB56CAD63221A6DB3964A32D68B5E98CAA0585ACEA75024E8AE7660C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.566{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-1300-000000003702}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:51.472{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C997D80EF90ECD0E62A5661AEEA457,SHA256=25B616001561D217DDE1C6FC01412BB0A504208867508D66C57543EB553FC6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.923{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.739{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDA5BDD78189FEF32D21AFF939609B8,SHA256=536E65605F92BECBFB7A107767BB90DFB3B80269E771E53E833BA5FC3ACA8DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:52.488{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BFAFEB67557111E1272FA6B12C9D2D,SHA256=18D61CF34FA7966AF8FEF3F7DB82562DA68F1CE912B4D1426674041647343620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:53.756{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECA2C39F26978FCECF9CA415B3C2F54,SHA256=65A952CAF1CEAE13D62A4EB486C1A56826EA3EFD4ADDFCA230A2A2A7ADA28794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:53.504{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B98A5620F3231D64E362B34F2F1463,SHA256=A2F1959D4E06B77796FA8FE7B195641B8C0511F205F6317C792C408C77857873,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:52.127{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65323-false10.0.1.12-8000- 354300x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:50.905{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:54.776{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488074849EC4976FBFB1134FB1DD551F,SHA256=E39ED173B1BDB27B7C4E9A894B25854D2D99668BEE94296A3294FF26A748E7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:54.504{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B149486E312F73545034A9E3B5310AD8,SHA256=63A1AB2B30AD80F9659D87CBBB33712AD8D0FC395DD438D0C5AD9514CAB9A3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:55.806{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A530D152E38DF148122C8B72F668326F,SHA256=9738C1E1CC993DE17AB6B34B2748B2A1A25CB5B828DC13F6B85C8C7BD4FD04D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:55.519{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3182D57E80429C16F79D6079AC8884C3,SHA256=4A5F256626395F06215C7CB5557B0CAE6DDF85264BC7AE0545E3551A82A02C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:55.154{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D322E4BCB7AB372E5CD6367E3641C656,SHA256=83B95CE4C5D505C6458A624EA41E8DEFF33D5FBC2383BE7259E4C5DB2F7A9D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:56.821{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6668D9FD06108A3656FC8977AAA966,SHA256=2ECB3C480EBA505E3071B3C9F4C78717FA294C0A9C056740531532F56297BB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:56.535{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E6C1CF0FEC9FE9786AE7B3FA2C7B5D,SHA256=1082180789ACF009F7E11F4DF5AE029458B847779F8CBAFD71DAB297C35F0783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:57.550{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B122D9C1E3D3F73385CF795D84F5041,SHA256=8C14FD15B465A5A00FE530363E9A4A627BE55861AEC543297B38852616629ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:57.836{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF2E0AD14CB79A28453CFBFF10227FD,SHA256=1EEC6E5F57D5EC1AFC69A60E1A046E93677AF2E5120D2A0B71629A60B17976E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.858{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C396CBD47CAE8EE8018E991EC0DC79,SHA256=B6E4DDBA87439303FFCE3DC604788D0A7F074044A0B8E1613DA9DF6226ADABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:58.566{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4479414662B7F966407010060FC27C0E,SHA256=6375B7791CE25C58A36AEECE732917A039991B37FCB27417699B09722AF55061,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:56.061{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.239{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=0C09D651A02F13E2D4349CBADEC3065D,SHA256=F2840D7278F64A6D40D290A3486F72A9EECD6B305440FA597C84843CA487ED63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:59.877{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3C54FFFD21DA251D6D621FF7A4EFE,SHA256=4F3E507D0E395BBB5000421CCA2AE50B3780369D4F0B499864B6286918228C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:18:59.582{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C0BF94870145881CAB84987B1B51AC,SHA256=5C616F933B3DDBE8C0BD45E134FB322B1DC82A0515116B3D5011663E6DD39336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:18:58.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65324-false10.0.1.12-8000- 23542300x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:00.892{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2A36E1619304CA1505012FF30B6796,SHA256=64AFC9ED1AB845D4E6B72FA58927C0CB05EFF65C22601F1F3DBCC3852867BCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:00.588{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898AED636238729D90D11FA0D06F9F28,SHA256=C802B3602E0D9255C3AD5965940A152DA7284B8930EE3BE401476412E8EE19B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:01.588{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D54BD1777E015952EC3EA149BAA4DE,SHA256=041F09BFF49B30170D457EE4EB90DD7767A110B6AE8D5365FE91B3A3A43C401F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:01.908{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE61532E9DF5EC881EDAE4FA31CD1E60,SHA256=D10D290BE7314C4AA1003D3D03D2175FE785785A4F3EA2943D885BC085F60347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:02.603{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487020A54D34AA7442B36709DF7A43D1,SHA256=4FE90CC3DC345AC86328E72CC55D5E25385FF115E7032015ED9A65C72CBC5992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:02.923{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:02.196{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-073MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:03.650{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5904D75FE4AA230CDC7C45CFCE2A6618,SHA256=535F0EA22D8C2CC00AD790076031AD7CFC8E358751390EFA3ACF33EEC8C86312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.924{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C535EB2FD12DC34537C63AA37814BA5F,SHA256=265003A5895FFA829592F734B7DB687A495F4C86A6AA22A0B9C9F90D6C6ABAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.254{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\datareporting\glean\db\data.safe.binMD5=59579D10E50FBA2EAA626B453E094926,SHA256=B2953E34E35457091324725154128AF92879F26264029B5FE63BB009C218C489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:03.209{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:04.938{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69DC7C2D6E6A32418A194290E4A7804,SHA256=5199BCCE59A1ADE0DD860FD3B93BA8F4DBACF1CFC3B9973C35EB8E85128818C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:04.838{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9840A701AE44BE4CEEC1AC283345D3F,SHA256=E9BB725A3F8B8F9ADC6CE98AC601B2D30260E2687DEC397B1BEF92CC8DB2AA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:01.927{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:05.956{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0211779DA43B5E077483ACB91801AC03,SHA256=4AF79B9E1B1DE2AA832CA8DA648D61B72894C0F07F9AAC8AA27C3584265AAF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:05.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98938DB8A2A6D0455C7993E041E9BD9B,SHA256=27732D1D456583010FB50B819857D4B015A42AA2632ECCFFBDF239D163440E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:04.029{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65325-false10.0.1.12-8000- 23542300x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:06.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E459FE623042D8E45ED0AF2F01CB41BC,SHA256=843D21304D48DCD5F0C77771F5A4B5CDDCEA4C05756B799BDC0ACE4666AFDE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:06.974{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95F0D527966919A321396E9F16009F0,SHA256=C1F6442ACB5D4C891002A84ED91C6900F3F207AD0EB7CBB643BB9946A6CC7AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.963{0B31F0A7-449B-621F-9405-000000003702}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.900{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4C1A0E4B968915989F55ADC45EA9DC,SHA256=504BF2BF618D3B57F2642E38AD20B5D88DE947F3FDC2F79757275C0DBD5185BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:07.989{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EA5FBEB71D7BA8CCB05B9BE0FEA426,SHA256=CD3E20EA030B74093056C1586F3F31B94490392537FD75873394E0E4F14BC593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.900{0B31F0A7-449C-621F-9505-000000003702}11801340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.744{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:08.745{0B31F0A7-449C-621F-9505-000000003702}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:07.974{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AFE49331C5DAF946B3ABC0669338AE,SHA256=DCBF912D0950196081DD9041A929E0CE74EDA38929259AF3EA8E8487238A3F8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.340{0B31F0A7-449D-621F-9605-000000003702}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456AA815CE228E8E0980AFE02BD44588,SHA256=85057C542BC3520C448057F4044099BF81A0E653EF3A8F32FA41929FA7470300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:09.338{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0275BEE8F58EF5F80521DD00304B7F5D,SHA256=F71A474D98E2CD3755352257A5A98D8F225C9AD73A3D837746B2710397A60A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:09.004{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A800348A4C71376E0D73F0AEB517480C,SHA256=5C1FFEF976EB403EEF330730284C7C5FED72DF26273A153F984FA4C226844B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.541{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040F081D855C8A0FAE2D93E1B57B7CC7,SHA256=B32A54EAB6ED857FD54CF39E8D50C714B076D62A81169FF66EAF1730CBF99A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.385{0B31F0A7-449E-621F-9705-000000003702}30323420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:09.177{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65326-false10.0.1.12-8000- 23542300x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:10.020{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABBDABF889E45B6261E1115FE2F94A2,SHA256=18A8286A2D6AC7011E21E23D4BB051E1A706773B7E38D560432BEB03F4A69DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.369{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6AFE49331C5DAF946B3ABC0669338AE,SHA256=DCBF912D0950196081DD9041A929E0CE74EDA38929259AF3EA8E8487238A3F8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.244{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:10.245{0B31F0A7-449E-621F-9705-000000003702}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:11.603{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918CE329314D0C44E56CC4FEF154191F,SHA256=FA2C250409393CC7CAD2C8120EC11F9C1EE0DE67F63D46CF76247F74BFE08180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:11.024{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2DE79A90E0B34C3163A2D2D4F62F2D,SHA256=A995F8FB1EF98953814A7D23FE0BEBF1224CA1E520D4A9A78D2E2929DE489D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.822{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECE54E501FACAC199A3AF5143B7E0DB,SHA256=5A2D2E14C5F16ED6F81B497EC1CF64E600CECF56F0491DE5DD07495C685FC52C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.791{0B31F0A7-44A0-621F-9905-000000003702}29323776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:12.039{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEDEAE0B876454CA867F459E29E45F8,SHA256=22514D0B5DDEF93ACB3757F4EF3A719749039203F23F277B3BA141462590D2F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.619{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.620{0B31F0A7-44A0-621F-9905-000000003702}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.431{0B31F0A7-44A0-621F-9805-000000003702}36723504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-34D3-621F-0500-000000003702}3921048C:\Windows\system32\csrss.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.119{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:12.120{0B31F0A7-44A0-621F-9805-000000003702}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.806{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12C4309F008EB33613626AEFBEFA28,SHA256=CC534398A54F5585311C168BFD121EEB5A3FAA0A5ED634FBB5D61C250DA3BB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-34D3-621F-0500-000000003702}392408C:\Windows\system32\csrss.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.181{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.182{0B31F0A7-44A1-621F-9A05-000000003702}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:13.135{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DAC144A68CB0BCBE4646C4AF8CCB26E,SHA256=37C2BA75E5497831A3BC0DA0BBC2190F559723CF9B8B93ABDEB6C564738369AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:13.041{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B37A6FCD6F7BEE7671165B50249181,SHA256=AE366B8E0A2869C0E29D89A43F1AABC6142F8521A1FD72552218E2C4558708F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.853{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E286B75300780720A2EFA09E41C6,SHA256=C9191A32B776FCF43E77532627AD41CC7D9D4A5C5FCACCB0EAF913BE9DA9371B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:14.042{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FA73F05A449CC63437C0E53B2CFC40,SHA256=2324157211711806A8E2D4B600C9976AC92688341BBA029BEA434958BBC24CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.197{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5940F6E4875B9B0A47337A64EB722CD4,SHA256=35CA3972225BDB71626CB02ECE78E46A416FFFEB6E769778FACA50C54953828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:15.900{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9360EF2E57B23108296C519BEA56DA48,SHA256=77E769F10A679AF0784A531C3CD87B44F47CAD59F63D28241C7056F509A5964C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:15.043{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA38EAD483B3559AF5E52A5DBEF761,SHA256=03AD7C3D0CDB6141E0960D5DAA09BCF8A647670C0DE2C89062074341AD7096FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:14.020{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:16.931{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533B03711CC354DE2857CD984A8072C0,SHA256=74312C05EB7BFC60D8DE3F1A9541689058F7B072CAF4AC2959F1633DEF0B1970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:16.061{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22295860800C21BB39AAC4AF46FA483F,SHA256=7B8B58943C414D6CC6AEC141CB70138C14F2D5BE513CD40B8B02D8FEF9B346C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:17.947{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB012BCF18BC134FBAC59ABFD14E23C,SHA256=860641197EA8D396F2563F1C54626575258D3CD22D0B8D387973E086F6082BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:15.102{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65327-false10.0.1.12-8000- 23542300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:17.081{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE58F2CE1CFA3C27A55C6729BB731B3,SHA256=07B537E83ADD44F1593AF4CD4471CBCA30D1BD34C54844F4C51F5E3A9E7B5082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:18.995{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C22B1790C6692A1DDDACBEEB3554F81,SHA256=963CF1C0F884516D7707176A818D3A0160C3350FE54C68033EE7434C4704F578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:18.112{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF575F0A30F60069F4AB5454EC35C16,SHA256=45D92D372EE73EB0AFC4B703DAC3123DB9E54A6C57870720217B44079726936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:19.142{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1548365F72D72833AE55576E1CD21518,SHA256=883F9F7784141EB236392AC5B83CA1D72DC4B28096300EC763AC3402B904E925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:20.160{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1145DD5E07058426B2D7F57FCAFE89B4,SHA256=99B18D36C82C62D8879FFA365A6D286A895D7EA7F63A7E9F05D6D40BFBF699A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:19.098{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:20.150{0B31F0A7-3557-621F-9D00-000000003702}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:20.009{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C91FC81BCFC081D37711ACFEDD1E8,SHA256=C2CF47E5AC8EEB1EE34CEC427EEADBF143FC646A6C2B7B967F74924CEBE68535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:21.014{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D8E7C1707476B0268D7F4CB87AA07,SHA256=3D13607072B8FB761A088B51ED90B57B6EB786D1E20D4CD0014F1F9C94B70A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.441{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.442{328C47E9-44A9-621F-F007-000000003602}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8501532C4BFE73FEB3130463FB9A76AE,SHA256=4890D5FEB89CC25307FF3A9BD53CF3D2AE46A0084CC544655686EC0A63FAF11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.778{328C47E9-44AA-621F-F207-000000003602}63848028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.600{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.601{328C47E9-44AA-621F-F207-000000003602}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.447{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E2880D6F2F37B1574B680E86D43935,SHA256=59887C676F40FA3ED8B3D6C96F56B2579B124B43C098FEE97C1CE6262F46F6FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.447{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26534B5D7C1CCE4416B073D8ED75264E,SHA256=52E5C245A0021210A7048447AC9708B6D12DDB19C3A7054CFD61271BEF2E1359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913667AE2D138ECF3C46611964FDF133,SHA256=9DD387D5063E420FA0FD92297CB436F0CD5AF703D701B0AF4055346FA62B049D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:19.979{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:22.202{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26FBA8063785D254285F0652BD21056,SHA256=EEB1B05BD356B285101824618415343AD1F8885FA05D582D91162FFE599CC82F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.110{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.111{328C47E9-44AA-621F-F107-000000003602}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:23.342{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911B407F5A22A2DD797721E504AD8A45,SHA256=35B07BA2A5462B17E0F50BF38333F904A4E39693DDDB46158A9C3C0D2AE319CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.933{328C47E9-44AB-621F-F307-000000003602}6916992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.684{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.682{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.682{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32BB-621F-0500-000000003602}400516C:\Windows\system32\csrss.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.681{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.680{328C47E9-44AB-621F-F307-000000003602}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.631{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E2880D6F2F37B1574B680E86D43935,SHA256=59887C676F40FA3ED8B3D6C96F56B2579B124B43C098FEE97C1CE6262F46F6FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:21.052{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65328-false10.0.1.12-8000- 23542300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:23.184{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81DFC18C2D26C7409DB69D130E5C734,SHA256=271022F9BBE494A88D18643B17FEA6099059B308D75520829D13920726C16974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:24.420{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D678228443C193E784CEDD80FFF16238,SHA256=5F307DB2CA9A0137ECD6108A3DD6756DF63AC420C8701B814CB8D39FB2FE127C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:24.701{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291D69587C1E7BB80DB0DAD14569F52E,SHA256=C52907C0931F8A48020EDA42E39EEF14A0AF043B3FA863EE9C66AA1D2E3B86EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:24.202{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F79C809745F7C5767A2191DAAEE478,SHA256=F0CC97CD70D8E9430A55F5C3B5F33F3C8085E853074C47E8361EB20691176B6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.200{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65329-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:22.200{328C47E9-32CB-621F-2800-000000003602}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local65329-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:25.655{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41ED8AD32078BD6647C6B5016890C9,SHA256=91C4E843D7190DF890E98544C60DE457EF81C5B4CC43176261AA5C8EE0F3E971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.763{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.764{328C47E9-44AD-621F-F407-000000003602}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:25.217{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202F26DCBDCC7D74292A2D08BF6FBBD6,SHA256=7214C7448D12843803EA86497E38EBE2D97B2CB6DB10BB1CFFC4A0995D48E00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:26.889{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5520CF49B57222F5ADC03D6652860495,SHA256=05D136CFC04D4E70FA27611BE81EDAA57CFB59DE2336B0319FF5BC94A09085AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00462f77) 13241300x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0x9cf9ba20) 13241300x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1e-0xfebe2220) 13241300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x60828a20) 13241300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00462f77) 13241300x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82e16-0x9cf9ba20) 13241300x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82e1e-0xfebe2220) 13241300x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:19:26.978{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82e27-0x60828a20) 23542300x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.778{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69255E0E165D92A4434D01A084DAAD14,SHA256=5BF54FFA7AE4C3EFC13C45C6C3917291E15BD7E31803EFC6BF76FAA4D2C980C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.497{328C47E9-44AE-621F-F507-000000003602}58281588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.263{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.264{328C47E9-44AE-621F-F507-000000003602}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.232{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0736C8BEF1A0FDCDAA7F3031ABC7755,SHA256=C4346F561E63027E937B68516CF1EEBE4C8CBB1EC8275B321E3E3BDB998E85F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.085{328C47E9-44AD-621F-F407-000000003602}78686656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.063{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44278C5C489EDB26D5632FBC658DDC6F,SHA256=C705FFEC0D507AA22C16C6249C4D811263508EA69BB2706BE9738BD0D82A2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:26.047{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=47D65CEB5EDC97828C46FFC639DCA709,SHA256=578BA9A15625A0E3D2A4E9BDC0ECAC0E7E2B380712E21924B2653CDD53AF5F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:27.920{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849671DA75B19A7C53CF869EC64089A7,SHA256=AA9C06150F8D8EC7A37F4E5C0462AA45DA96030CC5AE0FA17661228E30CA6A81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32CD-621F-3700-000000003602}33883408C:\Windows\system32\conhost.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32BB-621F-0500-000000003602}400416C:\Windows\system32\csrss.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.909{328C47E9-32CB-621F-2C00-000000003602}29843696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.910{328C47E9-44AF-621F-F607-000000003602}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{328C47E9-32BB-621F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.247{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D56055E69E8A67E654DDE7269D0AA,SHA256=9FC3998057A8EC715D766AD6F337A490034C36D679363087E2C898637A2017DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:25.041{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:28.936{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF108273F5DE232EFA111E4F9A323964,SHA256=AF79D983164309CB9AB2273EBF57FFEFFCAF6F247CB7027BBC1BB197663E3C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:28.928{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C087069083424C1F508CF243D1BF99,SHA256=3E72FBEE313F33A14BA072650DFE88A457E698D5898C897600D2171E33BE711C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:28.278{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523101E571E0F5932EFBC279B2CF93BB,SHA256=7391D5BD8753A2F6D4D145D86E294B522BBF64046565012D23AA6C39A789A702,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:27.083{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65330-false10.0.1.12-8000- 23542300x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:29.951{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8F93923DEA7555753C75B62F7ACA45,SHA256=062DF09B64A3F8D618C65456A6841166C0C790B124A60DE4CECC49989FEEEF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.960{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32B8-621F-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.845{328C47E9-32BB-621F-0B00-000000003602}616824C:\Windows\system32\lsass.exe{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.845{328C47E9-32BB-621F-0B00-000000003602}6161212C:\Windows\system32\lsass.exe{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.292{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECF8A63AF39584AE9F2FEE5D1E5290D,SHA256=0A1C166E372918DDDE7C39873DF22054C82AF6CADBD2DDC6E5A6795B63375A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:30.955{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD573C6E8A87E458F9263D1B8760B9,SHA256=C169B527FDF6F1340E98687A0C9D383AC2A9D4C3BBA7F1486F6DFBBE0ABC17A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:30.891{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:30.307{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482ABC3EC480E687CC2AB19180E0A855,SHA256=51A54D219ED26F26198DBD9E3198A8AB136DA4C4A3FE326CB0DF97D4825F89DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:31.968{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84937EA3491254820AD912395AF8019D,SHA256=86D403C1C31897B684361BD14F4CD983FFF6DF0E4CADE522E980B2DD79336625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:31.325{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81707878A4F6C9D10A3A229EBFD2DB63,SHA256=7955B9322CEB5E994C379FC1BABE6A37CD17935767973C97BA1D25061BA9163D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.938{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65333-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.938{328C47E9-32B8-621F-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65333-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local445microsoft-ds 354300x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.831{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65332-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.831{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65332-false10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.822{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65331-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local389ldap 354300x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:29.821{328C47E9-32BE-621F-1600-000000003602}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local65331-truefe80:0:0:0:a46b:4826:f425:af55win-dc-tcontreras-attack-range-682.attackrange.local389ldap 23542300x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:31.066{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\respondent-20220302091151-065MD5=430E98715AF7AF3635AF491DD4D57DC0,SHA256=DB5ABDF044C29F4F52A2AE95E41AD07DA17545B9719AB57C70BFA50A5C4AEE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:32.969{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229328E2BBF6CC9798E50A2E0C9C898,SHA256=56964BA9D243FA22DBF3BD903A7F386129069CDFF75B964F7039EF789D03359D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:32.344{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389ECB8A799C42AB1C5557285214487D,SHA256=E6A65F0BE36F97D96A40A63D24A21DF8E8EA6B5F1BEFD2BCF1CE1D1F40B4E2D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:30.087{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:32.078{0B31F0A7-34D4-621F-1D00-000000003702}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05f92af3186bb896f\channels\health\surveyor-20220302091149-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.360{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC05929BDB99FEBB6BB3BD3F7B77A568,SHA256=CB72CF02B5CFE6913066709F7E9DD393FE174C61317998E72000E69378566C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.244{328C47E9-32CB-621F-2C00-000000003602}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=BF300F7014437E589E790062B067C7C5,SHA256=F82904089512CD064BF4FD93876F475B3938370D05E059CC66B62D22F3E3360E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.100{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65334-false10.0.1.12-8000- 23542300x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:34.375{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F24817C9A2F143214589AA7AD29C325,SHA256=3CA43342C333A258479503B866145E573FC91C1A24C12E777453382D97E01DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:33.985{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BCAA9495A4D51FAAD833471290734E,SHA256=7322B5533787E632CA38B2826E06335FDBA68B564E19AB201958DBEB538B13F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:33.196{328C47E9-32CB-621F-2C00-000000003602}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65335-false10.0.1.12-8089- 23542300x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:35.390{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91D28D8A2FBCBFA0914225DD37E2E47,SHA256=F114AEA337515063E1999717A2DC17409D0BB6A9CA4FDAFE39452EAA2F99FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:35.000{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C66EADB787FE32612E2CB04E2C7757,SHA256=78DB9346474223C956A1D6D4A21C0DB474CE20690DCE30DE81A331AE2A59A796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:36.425{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800A5ED8B423FFD9F731803B439872ED,SHA256=B6C4FE1085F4E8D0E0CEEB96BE0A774A28341F71EDD97207E7BEE88FE9682702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:36.016{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCCBC125B3B354939853A9477C98394,SHA256=FD01E7F4495DB834B8976FCC7F6725AD195D529632CAE340C6E9390F9B2C944C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:37.443{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF08FEFE78DE2969BCFB280D84909E4,SHA256=BE372A5AE20D8D8C50E5CDC274ECE058566E4AF70D296165448D4E5C4ED2FC8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:35.980{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:37.031{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF5E091DE301AC8FE6B73E41C3A29CE,SHA256=BFBFCE86F3C1E48A4AA17CEB55521FADBD6911F5B26EAEF4224C52CC76CA7B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:38.443{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169CEE8AB708210277BF06F5B3ADAAD7,SHA256=33D0BEE7ADCFB20C68C81D70235F0255E53BE253DA2BB3C15DFFA3FC6EA973F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:38.203{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8F04E11554A41E2E8CB32848CD732A,SHA256=F9CBF2740458FED3B215C350ACA14F33EFD3F261A47694C2E36EF40EA60ED34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:39.458{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784AA4DF3B43D7876815A1FDA491AB89,SHA256=63017928BBFA20A57C239FC85F9F51D10C2511F5C208D7368FEA243C42D7583B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:39.360{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBD1C7ABB49C646B90B7087D964E84,SHA256=5A00B2DA611033E8F37808C89420D6EB03913C46FC5DBEB42EE6B09867FCFFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:40.594{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADA374DFB50F6EC96061E779807C0ED,SHA256=5F154A42A7C20BCD4FC4DDFECC6A469B1D3F9933E8C26B1F8D6B8624DE013BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:40.489{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B952E6B7A318257D1D67C51288B90BC3,SHA256=7CA8910A76497EA0C137A45EE41D711B80EF6A68F52D87963951FEB9969D9DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:38.147{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65336-false10.0.1.12-8000- 23542300x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:41.598{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F86BBEC99BCFBA1FD04FB4221C96216,SHA256=7E7A6CC799873FF5EEAD6CAA4AAE155A9772E6845B676D9AB539A61DC30A6A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.704{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0644D4F24A7B4A086D23CBE3EB5ADB5,SHA256=DE7661334F37A2AC139C6D46FEBBF1E388F4DD05BA58D94A7B98A9A63D9FA9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.704{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89FA1C8FC7EEB9E7C3D8A2DE0D1FA8C8,SHA256=D4004997A3BB9D495C277B12E10314029F0333C63B54E281CA9EFB50A231F9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:41.505{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E59964C9C739E576191FFEC5D7E0494,SHA256=C77476EAD2EC63BD49C61A2477B1234573CD0963D1871CAD4AEC7AABB3A9C83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:42.817{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3AC00E4EF1269E73BC7A848724AFFC,SHA256=6259EFFC479D0316AB020D91B3831098AA6B3B5F7FCFC9ACAE090DB337013B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:42.522{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4CBBD29E5B8B6D62D9965630CBCED2,SHA256=CFBA412945A649DE155FAE2292FDC104FF10BB22826383058533CFDC6C42E2E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:41.031{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:43.542{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89D72C37E47FB1C117203DC05AF7CF,SHA256=CE3ECD4BAFB3F8E4FAB5ED5E3E126ED73493C5204CD79DB0FC0344E929B37396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:44.556{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F2B8F303F05DAA1EE88C475D05CB9B,SHA256=BBD617319DD1F393ED9F5FD3B7FB6954C15D809D279AFE5E6F2C7110C8CEF23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:44.051{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06F2B0F0D9E723CA58CF9DD014E863E,SHA256=168032AE34BF71D6F32DE6A30E563A5B08BD398AF0C474DE27A99C09F340D7AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:44.046{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65337-false10.0.1.12-8000- 23542300x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:45.572{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA61F3A476669190BB87E57B2EAC29A1,SHA256=3895441775B8342C6E5F99315CC1B2F99F84F310098A2AD12408F09ADA3E4BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:45.129{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69DAAC2338094E40072CB808658504,SHA256=249DEA1F161321DBB577AF41AF7B41BEA5DACCAC13A17E6315D84F724457B241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:46.587{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2D3FDE6E76C659863F2F69E91BD516,SHA256=F4F815478FE748968B33FB52252C9177D76E6F3779079B516041419C5909CAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:46.145{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162D2F6327AB2B56298D02A7758AEC91,SHA256=AB3F1DBB46EE557957787BD06A542CAC289B41FEC7709E89AD97D87DE180F470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:47.587{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF04E7B965A4BCF443D5276011AF2982,SHA256=1CD910C5F2A0271F1CD2ED6FE6D1E867C390A649AD2B37B3FFA50C662A8736E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:47.587{328C47E9-32BD-621F-0D00-000000003602}8844108C:\Windows\system32\svchost.exe{328C47E9-38F7-621F-2206-000000003602}3556C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:47.145{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4CAD484D50153985AE8BC45571640A,SHA256=81F0ACEC356A1496D64937C02597A5D041BC66DB6B3CD908D4D9594223ADC3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:48.621{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2136CCC6243A025CF94E0FCD71A72D9C,SHA256=3C97BF1342DA20CC576F31B2F5C4E85D1CC18B8C8747351E258CD373D5A85D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:48.160{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04207719428BB384F3DBAFD89979E8D4,SHA256=9A4079D4FA725D4CD66DF26C5E9EA9FEAC9C53695CD21E194F641D286492A9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:49.640{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D5AFF849A641C3F9EE34908B31B6EC,SHA256=3F96150886FE317A97D589970A09BCD59C9460E67FC784CD188D72FD7D49328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:49.254{0B31F0A7-34D4-621F-1100-000000003702}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7925307C1FBDD87CA0258FD23F2E1EA4,SHA256=BE90F88B2489302B069B09416C8B2D2FBED2CD9DBFE5FA30FEF03625E678ACF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:49.176{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19F118A42155881C0A1D125172DD508,SHA256=C80926394D788AF6FEE3772418D78C8D1ACAA2DBF03F252B4713C67A96B95A49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:46.984{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:50.654{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE950C09288E77FA6823677D108A28D2,SHA256=D0D5D9EE55B42E8521429EB9D062573A9D553A3E3E89FE9A6AB04486427E90BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:50.192{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE43F860D378AC1AB2A5D05687A21876,SHA256=50307AE57DB63FD0D651B04B257F85D3D9746029FF63016C64A690121F7C6C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:49.076{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65338-false10.0.1.12-8000- 23542300x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:51.655{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BADE8CDBCB00F18E308CE160287DBD,SHA256=67B350EC8A4B9238EBA61F90778187A5850E2EDE948EB4D153C44A7AB70C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:51.207{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22ACDB479D9ACAE777D8E5DC1D95568,SHA256=B9C9C80D449F2C3E4EC551BA169660BA0630D46EEA0AC1676920EEF6EDF0B0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:52.670{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B328CF101FA69793FB7007FF50558AB,SHA256=F5F0EB67ACB8A49B5A8F7A7CFDB671CDD0737D2889C5C2E9F1571748AA16288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:52.223{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B031CD4E4A6583743A8C25688D38C272,SHA256=BF8996873B343E3EA6F6D90854D0A209123C552965B82AF705237144EF21BDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:53.685{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66820EDB8EF5D9799CE2E748218CDC31,SHA256=5D5C95542DF9AEFBDE41FC4BAEB111DDCDC0ECC3DFBF8D5921321BF6BF0F9142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:53.239{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEFFD826F81D06AE0905F417531E662,SHA256=8BDA69696CCCD6576F2021423670117810F95F82FB688BEC0CE2D022E772B301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:54.700{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9539700EC736D8636A1765F6DFBCA,SHA256=1C40956F206FE7B6C18EFD7537539BC4694560FC0146637BC7114135D6E5574B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:54.254{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0C04E1B858D7A97B2BE079834E262,SHA256=66F0630439D4E10C69FFD62EF68353C9274A40D2BD68B8590990C9B4B808DC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:52.000{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.702{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F8B363603CEFCBB1D18BFF8E94E24,SHA256=4200EFE0DEDC713FAA09A52279814B2153CF8131C4888C591501DFBA081D082D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:55.254{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA1EBB97EDD50AFC5F21B1E053399D3,SHA256=F821DBEE46CED2098638BD80CBA587C2488A5303194538662F2F4D54146388B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.155{328C47E9-32BE-621F-1200-000000003602}340NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=466710C4297FA6904FC376C58D0658DC,SHA256=14C34DB3EF40912578AD86C6D1CB60A9C4D4FA634E643904529A04A667B4B7FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:55.044{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65339-false10.0.1.12-8000- 23542300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:56.709{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E817016CC6EB84506343669BACFF08,SHA256=5A718B4A74BF30DA0DCDB2D2809416860FC8CD4DFD248C05E27920B7C7C1A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:56.270{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C420D74E456736C616C85B38E782F96,SHA256=F461FE147B75E724E66F73B277A0ACA582A5E9C90C0075868CE64643E05C85F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.957{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA886.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.942{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.895{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA845.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.894{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA835.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.841{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA805.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32BB-621F-0B00-000000003602}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.742{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-32BB-621F-0A00-000000003602}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.726{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDC98E9A1C16F83E945501A54854053,SHA256=AA0371DB3046312AA94F089621707CAADA6D50656300DD924A1494DE81B1AB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:57.270{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CB2B3033E0D287A3BD2EF4891972CF,SHA256=EC94A683913D376D9D1FBD9F2F510755E3420CD5CA1875F4DC5FEED575C262D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.655{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.524{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\Administrator\AppData\Local\Temp\BRL000015bc\BRA6CA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.491{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.491{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.392{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AF2A6F93BE2FFA606B49DB448AF1C5,SHA256=9EE516405480244678FB24800E99A1CD9F4FE112259C5EFE8228B8FD04A2A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.392{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0644D4F24A7B4A086D23CBE3EB5ADB5,SHA256=DE7661334F37A2AC139C6D46FEBBF1E388F4DD05BA58D94A7B98A9A63D9FA9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.389{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.388{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.388{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-VerSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\BinProductVersion7.6.0.0 13241300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-CompileTimeClaimSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\LinkDate08/13/2020 16:54:32 13241300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\Publisherhex-rays sa 13241300x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PathSetValue2022-03-02 10:19:57.387{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exe\REGISTRY\A\{891f7ddc-4902-2bd0-74ab-10a47cb48205}\Root\InventoryApplicationFile\idafree76_window|e0238d3472d5f4c1\LowerCaseLongPathc:\temp\idafree76_windows.exe 13241300x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDBSetValue2022-03-02 10:19:57.275{328C47E9-32BE-621F-1300-000000003602}956C:\Windows\System32\svchost.exeHKU\S-1-5-21-255986400-45527644-2136164048-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\idafree76_windows.exeBinary Data 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.259{328C47E9-32BE-621F-1300-000000003602}9561256C:\Windows\System32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.259{328C47E9-32BE-621F-1300-000000003602}9561256C:\Windows\System32\svchost.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.255{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.254{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.254{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-32BD-621F-0C00-000000003602}8285100C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.252{328C47E9-38F8-621F-2E06-000000003602}23087676C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:56.373{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe1.0.0.0-IDA Freeware and Hex-Rays Decompilers (x64) 7.6Hex-Rays SAsetup.exe"C:\Temp\idafree76_windows.exe" C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=C98212F18747BA286527C851B9E88858,SHA256=2ECC5B2F5329C4E7A4243634801180BE38A397C31A330324C8ABC605F5DFFB9E,IMPHASH=F3DE104AB04CA2D874306D1847BE46DB{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.993{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC94.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.975{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC74.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.959{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC73.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.959{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC72.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.892{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC23.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.881{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRAC22.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.818{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.817{328C47E9-32BB-621F-0B00-000000003602}6163884C:\Windows\system32\lsass.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.736{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FB3722B61EC2FDE2ED6957E9EB3F3B,SHA256=D0F27D3BD43969898F12CF7A64CCB07615E641EE9D182165F4AFE66E115260CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:58.285{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D33596605A40424C174F390A456150A,SHA256=5D589535C3EED5950862F7C712629BB14512D3DA70CD8D09B15C9D5F0C6A19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.287{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E364D795E13FE7D27E22DBF4B6F67E01,SHA256=BD20CD555F825A6A6A6D9048D808C017FA1341AE00442ACF724038BE38653BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.287{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44278C5C489EDB26D5632FBC658DDC6F,SHA256=C705FFEC0D507AA22C16C6249C4D811263508EA69BB2706BE9738BD0D82A2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:58.276{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA9B0.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.776{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local63393- 354300x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.758{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65341-false104.18.30.182-80http 354300x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.731{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65340-false104.18.31.182-80http 354300x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.727{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local64156- 23542300x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.743{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F0EB3ABDBA769DBCC801D4C44FCB5C,SHA256=F0787E87659ACEBDE2B12BE860AC7220B261629771AFD72319B6916AECD8EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:59.301{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D3AF873F4F717A266FCEE130CF48AA,SHA256=1E5EF43194BBE0DD2CC7627C239AF8B2CF68F0E44F916729E30A4C05759D2BF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.474{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.474{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}2308412C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.459{328C47E9-38F8-621F-2E06-000000003602}23085336C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.075{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.059{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F7-621F-2706-000000003602}10201336C:\Windows\system32\taskhostw.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:59.044{328C47E9-38F8-621F-2E06-000000003602}23084372C:\Windows\Explorer.EXE{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:19:57.093{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:19:57.780{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65342-false104.18.31.182-80http 23542300x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.743{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923AAAABF05CCFDC3724BF333C8DCC6B,SHA256=95933A4ECE4C6918954914448626B5266AF27C98D7CC152DAD28A4DEDF27B426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:00.317{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F13D827302449836CA84D7B2E4C1CB,SHA256=DD7CD5F5DCFBC12B9B4A7C22773E81D025E6BB56AFD7D11F9123F767BDCA6872,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.676{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txt2022-03-02 09:45:00.595 23542300x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:00.676{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5z0k6x8b.default-release\SiteSecurityServiceState.txtMD5=59069D13E73B745F6D9529B2480DF1DF,SHA256=37DCC217A0C436293BDA1E38EF295E5821454003469980CBE64C5A4F0CD881D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:01.745{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5173FD97BE9176999A42EEB241F0933D,SHA256=8639C39BEF344B535CE3AFB884CF067C663BF86682BF98BEE66EA5729723DD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:01.357{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03882D2BA7C7D5F132DFA68C9CB46D0,SHA256=5E3B18245CC813FDD7BE30052FAEFFBAB1425771428CED65D979425EA2A16C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:01.064{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65343-false10.0.1.12-8000- 23542300x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.760{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B32B5F5B7C613C7D7425E6C5E3BEE8,SHA256=B7770669CD26956F4A10BCB4B13B9984FD175B89E0D712BEDE046C5CE6EEF8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:02.592{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34049CFCC435C4D1D9A6FFE02502D1B3,SHA256=9B6DFA40AEBB52DC09166ED5591AAA4F949CB1DADF1B4F0D43DF61EF58B30B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-38F8-621F-2E06-000000003602}23084880C:\Windows\Explorer.EXE{328C47E9-3B6C-621F-9E06-000000003602}1620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80281EE7FD8)|UNKNOWN(FFFFB238AFEA5B68)|UNKNOWN(FFFFB238AFEA5CE7)|UNKNOWN(FFFFB238AFEA0371)|UNKNOWN(FFFFB238AFEA1D3A)|UNKNOWN(FFFFB238AFE9FFF6)|UNKNOWN(FFFFF80281BFF503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:02.560{328C47E9-3B6C-621F-9E06-000000003602}1620ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF46ba72.TMPMD5=D5F6B777ADEFB28682290A3936AE0977,SHA256=B36332BCD52C7798F89CD1708B921A7A0EC7D94EE22121596F5A118680A5259A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:03.639{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFE560D331453ABEA4E871D703D0735,SHA256=10AB605A95417E9746887C5D3244F53FB88421157187C7F9CC55FCE3D01E4C37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.976{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\clp64.dll2022-03-02 10:20:03.976 11241100x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.961{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\libdwarf.dll2022-03-02 10:20:03.961 11241100x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.961{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5PrintSupport.dll2022-03-02 10:20:03.961 11241100x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.861{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Core.dll2022-03-02 10:20:03.861 11241100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.845{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\idahelp.chm2022-03-02 10:20:03.845 23542300x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.761{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7B0B7BE5F2467F476F2CA1BB27B768,SHA256=44E6C17675AE18B3000BB9C0B896770ABF26F2A82CF3CC5876C38BC63823D102,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.734{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Widgets.dll2022-03-02 10:20:03.734 23542300x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.733{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\respondent-20220302090310-074MD5=47B9AB6966A9A68B2D576A1C6AA75061,SHA256=8AF396895B30D9593371F8AB463A5CC9CFB2CD271124040E771BFC539AC707CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.613{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Qt5Gui.dll2022-03-02 10:20:03.613 11241100x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.545{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\tds64.dll2022-03-02 10:20:03.545 11241100x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.545{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\bdescr64.dll2022-03-02 10:20:03.545 11241100x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.529{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\license.txt2022-03-02 10:20:03.529 11241100x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.513{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\objc64.dll2022-03-02 10:20:03.513 11241100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.513{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\win32_user64.dll2022-03-02 10:20:03.497 11241100x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.497{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\golang64.dll2022-03-02 10:20:03.497 11241100x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.497{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\dbg64.dll2022-03-02 10:20:03.497 11241100x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:03.491{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\pe64.dll2022-03-02 10:20:03.476 23542300x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:04.873{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797B0F89333CA16CE3D0F171CDF0793C,SHA256=5B78CF0FBF6B7ECCEB956B14478D535533C84AD9C13A45C4F4F0EE62D7F318C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.776{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FBAF55D4567FB54C43744470CA726F,SHA256=2BE9AC067015CC4FF38CC45757ACCB2C4B8444E362FB7B246B59314C5BDD2F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:03.156{328C47E9-32CB-621F-2D00-000000003602}1236C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-682.attackrange.local53835- 354300x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:02.868{0B31F0A7-355F-621F-CB00-000000003702}3224C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-468.eu-central-1.compute.internal50487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.730{328C47E9-32CB-621F-3000-000000003602}2276NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b2a54b03ec6c5aa7\channels\health\surveyor-20220302090308-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-38F4-621F-1506-000000003602}39482168C:\Windows\system32\csrss.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\idafree76_windows.exe+117d59 154100x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.664{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exeC:\Windows\SYSTEM32\netsh.exe advfirewall firewall show rule "name=\"IDA" Freeware\"C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe"C:\Temp\idafree76_windows.exe" 10341000x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:04.661{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.477{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\platforms\qwindows.dll2022-03-02 10:20:04.477 11241100x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.277{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\dwarf64.dll2022-03-02 10:20:04.277 11241100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.261{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\pdb64.dll2022-03-02 10:20:04.261 11241100x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.199{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\plugins\hexx64.dll2022-03-02 10:20:04.199 11241100x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.177{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\macho64.dll2022-03-02 10:20:04.177 11241100x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.161{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\loaders\elf64.dll2022-03-02 10:20:04.161 11241100x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.146{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\procs\pc64.dll2022-03-02 10:20:04.146 11241100x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:20:04.076{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\ida64.exe2022-03-02 10:20:04.076 11241100x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localDLL2022-03-02 10:20:04.014{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\ida64.dll2022-03-02 10:20:04.014 13241300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000009c4) 13241300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-SetValue2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{E52026B6-6DAE-4512-9205-0550734842C0}v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files\IDA Freeware 7.6\ida64.exe|Name=IDA Freeware| 10341000x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.897{328C47E9-32BE-621F-1500-000000003602}11766204C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+15d5a|c:\windows\system32\mpssvc.dll+2fb3e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.881{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.881{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-32CB-621F-2900-000000003602}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\idafree76_windows.exe+117d59 154100x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.832{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exeC:\Windows\SYSTEM32\netsh.exe advfirewall firewall add rule "name=\"IDA" Freeware\" "dir=in" "action=allow" "program=\"C:\Program" Files\IDA Freeware 7.6\ida64.exe\"C:\Temp\ATTACKRANGE\Administrator{328C47E9-38F6-621F-7F7B-3A0000000000}0x3a7b7f2HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe"C:\Temp\idafree76_windows.exe" 10341000x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.828{328C47E9-32BE-621F-1300-000000003602}9566496C:\Windows\System32\svchost.exe{328C47E9-44D5-621F-F907-000000003602}6236C:\Windows\SYSTEM32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.797{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1EACEDB6F6AEA3E3D6A29708CAD485,SHA256=3405D995948D74752BF8EDA5427FB51B1B81A759ACA513A1A8F4D6B911229099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.678{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C800793EDA5F7F9A87E6639DE8A0DA,SHA256=44C50040CE6FCD8CD38ADDBD896152F493A713799C9B55B309A56F0A6363F783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.677{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AF2A6F93BE2FFA606B49DB448AF1C5,SHA256=9EE516405480244678FB24800E99A1CD9F4FE112259C5EFE8228B8FD04A2A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.527{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A7261855CB5A669A50A7D30F9B1EDD7,SHA256=6ED31E6B226AF0F2ED3128A94D1515F1CAE7DD0486BE40B6A6DCD8FFBFC6139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.527{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E364D795E13FE7D27E22DBF4B6F67E01,SHA256=BD20CD555F825A6A6A6D9048D808C017FA1341AE00442ACF724038BE38653BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.427{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:05.427{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D4-621F-F807-000000003602}228C:\Windows\SYSTEM32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:06.107{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8487B0912E3449F919C43383DBE72614,SHA256=BE487452B59836DCE6EFB2A1984D4425542C45D056D0883F54791309A4621AC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.981{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:06.981 10341000x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.959{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 23542300x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.814{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032112F22CF12BF249D92D97682CBC6,SHA256=621B14296909DCFD8D625A6B63973D473C0ADF37E06F10D3242C620D33639D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.612{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1a176c(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1a175e(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.496{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1a175e(wow64)|C:\Windows\System32\windows.storage.dll+1bfa58(wow64)|C:\Windows\System32\windows.storage.dll+c0f7e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 11241100x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.480{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\IDA Freeware.lnk2022-03-02 10:20:06.480 11241100x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.396{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.62022-03-02 10:20:06.396 11241100x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localEXE2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\uninstall.exe2022-03-02 10:20:06.380 13241300x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\DisableExceptionChainValidationDWORD (0x00000000) 13241300x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.380{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\DisableExceptionChainValidationDWORD (0x00000000) 13241300x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.376{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\MitigationOptionsDWORD (0x00000100) 13241300x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.375{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\MitigationOptionsDWORD (0x00000100) 13241300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idat64.exe\CWDIllegalInDllSearchDWORD (0xffffffff) 13241300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1183,IFEOSetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe\CWDIllegalInDllSearchDWORD (0xffffffff) 13241300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1042SetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKCR\IDApro.Database64\shell\open\command\(Default)"C:\Program Files\IDA Freeware 7.6\ida64.exe" "%%1" 13241300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT1042SetValue2022-03-02 10:20:06.359{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKCR\WinGraph.File\shell\open\command\(Default)"C:\Program Files\IDA Freeware 7.6\wingraph32.exe" "%%1" 23542300x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.838{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D36884FD19EF6C515DC21031D48D7C4,SHA256=9BDB665467F170F513454DC91493120AACFBA6E1E45CD371A8DE294471DD0FCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.951{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.952{0B31F0A7-44D7-621F-9B05-000000003702}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:07.342{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D00CCB6408766CA5337B692D39F35BF,SHA256=EAE426437286B8F2F2655EE9EE205833A4416E70F6B97BD6E8DC4817DC67804A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.727{328C47E9-32BE-621F-1600-000000003602}13165064C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.727{328C47E9-32BE-621F-1600-000000003602}13161364C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.714{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.701{328C47E9-38F4-621F-1506-000000003602}39484440C:\Windows\system32\csrss.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.696{328C47E9-32BB-621F-0500-000000003602}400372C:\Windows\system32\csrss.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.695{328C47E9-32BD-621F-0C00-000000003602}828108C:\Windows\system32\svchost.exe{328C47E9-44D7-621F-FA07-000000003602}7680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.179{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1914465AC58C038DB20BD6D0F7D41,SHA256=CB44F8F1CD4A13BCAEFD22F273B8199CE77DDAA49005E6C5B0F72CEA147E85EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.128{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnk2022-03-02 10:20:07.097 23542300x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnkMD5=DE9B4A0194905741C5115BC474BAF2AD,SHA256=32DE2763C463598CCDC2A8E0EE4F619EE2C3CE51BB77481CB1A884E2AD28D44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 23542300x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.112{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C800793EDA5F7F9A87E6639DE8A0DA,SHA256=44C50040CE6FCD8CD38ADDBD896152F493A713799C9B55B309A56F0A6363F783,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.097{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Users\Public\Desktop\IDA Freeware 7.6.lnk2022-03-02 10:20:07.097 10341000x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.059{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:07.044 23542300x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnkMD5=2659E5B52939237A7A24A88CB1B48A77,SHA256=4D99CFFF703C7374FB8A7EF1BFF9A0776301F267A84C4D7F7C4E642BEC01538F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 11241100x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.044{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\Program Files\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:07.044 10341000x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.028{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 10341000x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.012{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA875.tmp+1189(wow64) 11241100x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localT10232022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnk2022-03-02 10:20:06.981 23542300x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}5564ATTACKRANGE\AdministratorC:\Temp\idafree76_windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDA Freeware 7.6\Uninstall IDA Freeware and Hex-Rays Decompilers (x64) 7.6.lnkMD5=5EA8E5863934A21D48B5696FC50941C3,SHA256=98353079958FFD4FE7556066ACCD5BE37C26BE60E6FF47CD3930A6A972E5B13D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfce9(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1bfc1c(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 10341000x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64) 10341000x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:06.997{328C47E9-44CC-621F-F707-000000003602}55647660C:\Temp\idafree76_windows.exe{328C47E9-38F8-621F-2E06-000000003602}2308C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1bfc07(wow64)|C:\Windows\System32\windows.storage.dll+1bfae5(wow64)|C:\Windows\System32\windows.storage.dll+1bf946(wow64)|C:\Windows\System32\windows.storage.dll+c0f8e(wow64)|C:\Windows\System32\windows.storage.dll+c0e0b(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+2b4b7(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\BRL000015bc\BRA739.tmp+724b(wow64)|C:\Temp\idafree76_windows.exe+e6ce1 354300x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:07.070{328C47E9-32D8-621F-6E00-000000003602}3664C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-682.attackrange.local65344-false10.0.1.12-8000- 23542300x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:08.857{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D862D36D2579C40660E1B11D4C40A4EA,SHA256=AD75159D19FDC944664EC426D2385BBA7AD15A7D4AE48A10EB0D6A059CFFA0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.967{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC439406B83B67131E580060AF9808E,SHA256=13AF48E1DAF611CFA3BB1F2557740FD198B905869AA7054385ACD6F47D30F413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.967{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DD9F9F0189AF9BF69B7BF853F86FF4,SHA256=C67B61CD62DB0A33A2D4A28FE32A4A831A0C1A1FE2C457839784291A56D0EC59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.904{0B31F0A7-44D8-621F-9C05-000000003702}6563664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-34D3-621F-0500-000000003702}392508C:\Windows\system32\csrss.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.732{0B31F0A7-3557-621F-9D00-000000003702}29243096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.733{0B31F0A7-44D8-621F-9C05-000000003702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0B31F0A7-34D3-621F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0B31F0A7-3557-621F-9D00-000000003702}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:08.422{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0D2C4BD32C3890E792B268D28C2139,SHA256=690C874379683E5DAAB2B159B0F04D456FE9129CD9CD283749F8AAFDBD1B3B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:08.766{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C9BC83AB106AC63F5CA35B5A02AC9E,SHA256=0FD50E1214204D8F3B1C7AF7CF98C868B9D9CE90E7406AE62948E41B5D2B485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.local-2022-03-02 10:20:09.863{328C47E9-32DF-621F-7700-000000003602}3428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF91B058D36A9BFDAAC63A3C095EBB,SHA256=901D31C5BA8BA35A2CF4EB5612211F082D0CD0D6DAE827F2EF2CCEA19A700363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.701{0B31F0A7-3565-621F-D400-000000003702}412NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D092663C3DA15FDD169A0EDEA92618,SHA256=4631977B69289A46F732B604192105EE4E8163B2592EC50444E05F5C7444750E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-682.attackrange.localInvDB-PubSetValue2022-03-02 10:20:09.022{328C47E9-44CC-621F-F707-000000003602}5564C:\Temp\idafree76_windows.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Freeware and Hex-Rays Decompilers (x64) 7.6\PublisherHex-Rays SA 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-3558-621F-A100-000000003702}30362024C:\Windows\system32\conhost.exe{0B31F0A7-44D9-621F-9D05-000000003702}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-468-2022-03-02 10:20:09.404{0B31F0A7-34D4-621F-0C00-000000003702}7122488C:\Windows\system32\svchost.exe{0B31F0A7-34D4-621F-2100-000000003702}1988C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019755